Mobile Security – Small Devices, Big Challenges

By Jason Pappalexis

Mobile devices remain one of the fastest-evolving technologies within an enterprise’s IT security architecture. Advances in chip architectures, improved battery life, lower manufacturing costs, a consumer desire for “smart” products, quality on-board sensors, and enhanced APIs into corporate productivity suites have coupled with agile software development techniques and advanced manufacturing to enable new products to reach enterprise consumers at an unprecedented speed.

NSS Labs recently completed the 2019 NSS Labs Mobile Security Study in an effort to understand the use of these products in the enterprise. Data was obtained using a two-armed qualitative and quantitative study (n=383) with reach into both United States and European organizations. This data will be used to inform our enterprise client inquiry, to develop test methodologies, and to improve our overall understanding of IT security architecture risk.

We learned many things from this study, including the challenges associated with building a mobile security strategy; enterprise perceptions of risk, privacy, protection, and maturity; observed mobile threats; and the types of mobile devices capable of accessing corporate data. Some excerpts:

·       49.4% of respondents reported poor user awareness as the greatest challenge to mobile security strategy.

·       On average, survey respondents with mobile security rated their protection as 76.1 out of 100, while respondents without mobile security rated their protection as 70.1 out of 100.

·       More than half of all respondents reported that mobile threats were a higher risk to organizational assets than other cyber threats.

Any mobile device that can access corporate resources has the potential to introduce risk. The term “mobile device” has often been used to describe smartphones but today comprises a much longer list of products, including laptops, wearables, tablets, smartphones, and many other devices that not long ago many would have considered simply “IoT”. Recognizing these products as mobile devices is necessary to understand the risk they introduce, which then allows IT security teams to choose the appropriate security products and to manage them effectively. While many executives acknowledge the risk associated with mobile devices, they also recognize the challenges of managing them. When asked for the top reasons they weren’t deploying a mobile security technology, the largest number of study respondents chose “mobile security is not a pressing need” and “privacy”.

Mobile security products are rapidly evolving to keep up with the pace of change. Mobile device management (MDM) was the earliest entrant to the space and targets traditional mobile operating system with features such as device locate, lock, and wipe. Mobile threat detection (MTD) focuses on vulnerability assessment, network security, application scanning, and URL filtering. Enterprise mobility management (EMM) provides the next iteration of MDM features, layering secure access to mobile applications across broader operating systems, and it is considered a transitional technology—a precursor to unified endpoint management (UEM). And finally, UEM, which is considered the current iteration of mobile security products with technology that supports broad anti-threat, identity, and device management features. UEM is interesting to IT security teams, as its operating system support has overlap with operating systems supported by endpoint security products (e.g., advanced endpoint protection products, or AEP ), forcing a broader discussion because UEM is no longer “smartphone-only”.

What is an organization to do? Enterprises should not reduce their expectations for protection based on the challenges of mobile security technology. At some point in the future, enterprises will demand that an endpoint security product is capable of providing visibility into all endpoints capable of accessing corporate data, not just those marked as traditional operating systems.

NSS Labs has published a series of Intelligence Briefs on security controls in the US enterprise. The NSS Labs 2019 Enterprise Intelligence Brief on Mobile Security offers visibility into current enterprise requirements for the technology. The paper will be available to subscribers to our research library.