Security is a balancing act, especially when it comes to emerging technologies that promise to unlock massive business potential. Each new wave of change requires an enterprise to adapt its security posture, or risk being left behind - or exposed to unmanaged risk.
Mobile is no different.
What was predominantly a consumer-oriented phenomenon is rapidly becoming a top business priority. Individuals, product teams and marketing departments are all scrambling to seize the benefits mobile presents, while security organisations are scrambling to regain control - or at least awareness - of all the enterprise's mobile-related activities. Enterprises recognise that going mobile requires a strategic perspective.
The importance of defining a security strategy for mobile carries greater urgency than ever. While 84 per cent of consumers now use their personal smartphones for work, mobile malware has increased more than four times since 2010. Recent reports indicate that 51 per cent of companies have experienced data loss due to insecure mobile devices - and the average cost of a breach was a hefty $5.5 million.
Enterprises have a very real need to reduce this risk while not affecting business objectives focused on mobile. Given the dynamic nature of the mobile market, it can be difficult for an enterprise to define a mobile risk management strategy. Organisational inertia alone can lead to increased risk. One approach is to concentrate on four focus areas of mobile security:
2. Protected Access
3. Secure Mobile Solutions
4. Mobile Security Intelligence
BYOD, or Bring Your Own Device, has become a defining characteristic of mobile adoption in the enterprise. While not exclusive to smartphones and tablets, these new devices led the way with rapid, organic penetration of many enterprises. But every organisation can customise the policies that govern the use of employee-owned mobile devices within the enterprise.
BYOD policies should reflect the organisation’s risk appetite based on its industry, regulations and culture. Policies can modulate the degree of device choice and which employees participate. Of course, before it can enforce its BYOD policies, an organisation needs to gain visibility and control over these new devices.
Mobile devices empower employees to access relevant information whenever they need it. No matter how much enterprise data is stored on the device, users will frequently need to access additional enterprise data and resources. The enterprise must not only establish secure connectivity channels but also manage risk associated with user authentication and authorisation.
Given that mobile access typically takes place predominantly outside enterprise boundaries, special care is needed to prevent unauthorised access and reduce risky behaviours. Plus, protecting mobile access provides security teams another lever to gain awareness over their mobile audiences even when they cannot have visibility over the devices themselves (i.e. consumers, partners and unmanaged employees).
Secure Mobile Solutions: Apps have emerged as the primary interface for delivering mobile solutions to consumers, partners and employees. Apps enable the rich, task-oriented functionality and user experience that mobile consumers demand. Some mobile solutions are outsourced, while others are built by various parts of an enterprise.
Organisations can build security into the initial design of mobile applications so that vulnerabilities can be detected early in the development process, before being deployed to customers or employees. Security design needs to be incorporated in each step of the software development lifecycle and the enterprise must also enforce a baseline of security standards across the entire range of mobile solutions it develops.
Mobile security through risk management requires constant vigilance: With rapid innovation comes new capabilities that promote new behaviours. And as mobile adoption accelerates, it becomes a richer target for attackers. The threat landscape indicates a growing affinity towards targeted attacks at individuals or organisations, leveraging mobile as a primary socialisation platform.
To identify risks and take appropriate mitigation steps, enterprises need to gather intelligence across all the touchpoints of mobile engagements. Intelligence gathering should include aggregating security events from the device, users, apps and the network for analysis - including tracking compliance with existing risk management policies.
While enterprises cannot afford to ignore this opportunity, they must not put themselves at risk in their rush to embrace the new technology. By focusing on BYOD, protecting access, securing mobile solutions and developing mobile security intelligence, enterprises can balance the risks and rewards for individual workers and the organisation as a whole.
Jason Burn is business unit executive at IBM Security Systems Division.