Unfortunately it seems that the fastest most effective way to spur change in enterprise security is to learn of a massive breach of some sort. Mobile security is no different. I recently spoke with an ex coworker of mine, and asked him why he thought enterprises don’t prioritize user centric mobile security enough. He responded saying that there has never been a “major” breach with an employee’s mobile device being the main culprit. Naturally I had to dig into the validity of the claim.
Unsurprisingly, after a few minutes of searching I found the prime example. Last July, the Japanese Educational Service provider, Benesse, experienced a massive data breach as a result of an insider threat via mobile device. A system engineer contractor copied trade secrets and stored sensitive information from 22.6 million customers on his mobile device. This resulted in the resignation of the company’s CIO and $150M in reimbursement costs for the affected customers.
Insider threats aren’t the only vulnerabilities though. The recent discovery of Swift Key's security software vulnerability has placed 600 million Samsung smartphones at risk of a data breach. This is a clear example of why partnerships, and their security, also need to be go through a thorough vetting process. I would imagine Samsung isn't super happy at the moment.
Zombie apps, apps that have been decommissioned by Apple and Google Play, are now being brought back to life by cybercriminals. Criminals are now hijacking the app update mechanism, causing malware to be downloaded down to user devices the next time users go to access the mobile application. These man in the middle attacks can place any corporate data on these zombie app infected devices at risk of being seized by cyber criminals.
I’m not citing these to freak anyone out here, but to simply educate the public of the current mobile landscape. Clearly, criminals are now beginning to think outside the box. As IT security professionals, we must be able to do the same.
A Call For “Prosumerization”
One of the biggest issues with enterprise mobile security solutions today is the fact that most are focused solely on functionality, not the user experience. Enterprises should look to deploy professional products that have a certain level of consumer-facing security. Security that doesn’t define the way a user gets his or her work done, but enables them to do so without placing themselves, or their company’s sensitive data at risk.
Early mobile security approaches like MDM and MAM are not focused on user experience, nor data protection. They are focused on either the device, or wrapping an application, not the data itself. And failing to provide data loss prevention or audit log means that both MDM and MAM solutions would fall victim to any of the examples I mentioned earlier in the blog. Insider threats, software vulnerabilities and zombie apps would all gobble up any sensitive data stored on a device secured by these EMM solutions.
But what if you could control the flow of data coming down to the device? What if you could track it? What if you could selectively wipe all corporate data on these devices, leaving all user personal data completely unaffected…with no agent on the device?
What insider threats, SwiftKey and Zombie apps means for mobile security? It means it’s time for invisible mobile security, that works.
Product Marketing Manager | Bitglass