Many companies have recently sacrificed mobile security for functionality, a move which comes with obvious costs if a data breach occurs. While mobile security should always be a priority, the unprecedented influx of mandated work-from-home employees caused by the COVID-19 pandemic has made mobile security more urgent than ever. It’s time to take security to the next level.
To talk more about the importance of mobile security and what strategies organizations should implement in 2020 to prevent a breach, PaymentsJournal spoke with Terrance Robinson, Head of Sales & Marketing, Enterprise Mobile/IoT Cybersecurity at Verizon Wireless.
Businesses are willing to risk security in favor of functionality
The 2020 Verizon Mobile Security Index (MSI) revealed significant flaws in how organizations approach mobile security. The findings came from a survey of over 850 professionals responsible for buying, managing, and securing mobile and IoT devices. Since mobile attacks aren’t exclusive to any specific industry, this year’s index featured supplemental vertical reports in other key segments—one being financial services.
The results were alarming: 43% of respondents admitted that their organization had sacrificed mobile security in the past year, and those that did were twice as likely to suffer a compromise. In industries with widespread access to especially sensitive data, such as the financial services industry, this is unwelcome news.
“Financial institutions and banks recognize that they need mobile banking apps with the best features and functions for their customers, but from a corporate security standpoint, they aren’t really paying much attention,” explained Robinson.
Corporate-level mobile security needs to be a priority
Mobile security encompasses far more than secure mobile banking options for customers. It’s also important for financial institutions to prioritize mobile security from a corporate standpoint —especially with so many employees increasing their corporate mobile usage while working from home. For example, employees should be able to confidently send secure work-related emails from their mobile phones because adequate protections have been put in place by their employer.
There is no corporate asset that employees use more than phones. This is particularly true if they’re using a personal mobile phone for work purposes. “Mobile phones are unique because they’re always connected to the internet and always with people; they’re the last thing people look at before they go to sleep and the first thing they look at in the morning,” Robinson noted.
The data exposure risk alone makes it critically important that mobile security is taken seriously, but that’s not the only risk that comes with a compromise. Companies want to ensure that mobile devices are behaving and performing optimally, but operations can be compromised if a device is impacted by malware or another means of attack. In other words, the same functionality that employers have prioritized over mobile security can itself be impacted by a breach in security.
BYOD vs. COPE mobile business models
The relationship people have with mobile devices is the most personal in bring your own device (BYOD) work cultures—where employers allow employees to use their own computers, smartphones, or other devices to do work. When this is the case, employees are more likely to feel entitled to do whatever they want on their mobile device.
The intermingling of business and personal data is something that organizations have struggled to manage, especially when it comes to personally identifiable information (PII) that could be exposed to unauthorized parties. Because of this, many businesses have opted to steer away from BYOD in favor of corporate-owned, personally enabled (COPE) policies.
The COPE business model is when employees are provided corporate computers, smartphones or other devices, but are allowed to use the devices as if they were personally owned. This model allows organizations to have more power to manage the devices and protect their own data. Large financial institutions have already expressed interest in shifting away from BYOD to mitigate the risks of a security breach.
What can organizations do to boost mobile security?
A well-implemented security solution that is transparent to users is key to maximize mobile security while ensuring the confidentiality, integrity, and access of data. There are already non-intrusive, sophisticated mobile security tools out there, so it’s simply a matter of implementing them.
Here are some of Robinson’s tips for organizations looking to ramp up their mobile security:
- Prioritize doing more at the network level. Demand for network solutions is rising, said Robinson, as “more people want to see network-layered solutions that are seamless and agnostic in nature.” This is something that can be done directly today with solutions such as routing internet traffic to a private, non-routable IP address and enhancing mobile secure gateways by deploying adaptive authentication.
- Leverage a device enrollment program to enhance endpoint management. This ensures that organizations can access the data for corporate-use devices.
- Enable threat defense monitoring. This refers to monitoring networks and other information, such as the data usage permissions applications are requesting from a corporate endpoint.
- Implement an acceptable use policy that includes mobile devices. Though a majority of employers have some type of acceptable use policy in place for corporate employees, only 44% of them have policies that include mobile devices. By adding mobile devices into their policies, organizations can reduce risky behavior from end users who aren’t concerned about security.
Mobile security is often overlooked, especially on a corporate level, but this can no longer be the case. In this indefinite work-from-home era, an increasing number of employees are relying on mobile devices to get work done. Organizations can take a number of steps to enhance mobile security, and in turn, protect their data and mobile functionality.