IT administrators may be underestimating the potential threat of mobile devices, suggests data from a cybersecurity company that found more than half of IT professionals--59 percent--have not implemented mobile threat defenses.
“A majority of organizations have not deployed mobile security solutions capable of detecting leading threats including mobile malware, fake or malicious apps, man-in-the-middle attacks and system vulnerabilities,” according to the 2019 Security Report from Check Point.
This despite general concern about the vulnerability of mobile devices, according to a 2017 report by the Ponemon institute, which found that “eighty-four percent of respondents are very concerned about the threat of malware to mobile apps and 66 percent of respondents say they are very concerned about this threat to IoT apps. Sixty-three percent of respondents are not confident (30 percent) or have no confidence (33 percent) their organizations know all of the mobile applications used by employees.”
“The issues surrounding mobile device security capabilities are the same as with other security products,” says Maxine Holt, research director at Ovum. “Does the team responsible for security operations have the necessarily skills and expertise to ensure that the security capabilities are deployed and managed correctly? Have the individuals using the mobile devices been trained on the security risks and processes? Technology alone is rarely sufficient to secure anything, including mobile devices--people and process combine with technology to deliver security controls.”
The Check Point survey points out the particular threat of malicious apps infecting mobile devices and spreading through a corporate network.
“Many mobile users are unaware of the dangers and they are far too trusting when clicking on links they receive via SMS or social media apps such as WhatsApp,” the report warns. “This can often lead to the device getting infected by a wide array of mobile malware. Trojans, for example, carried within an app or installed through an unsecured network connection, infect a device with malicious code that may conduct surveillance by eavesdropping and recording conversations, extracting call logs, tracking locations, logging keyboard activity, and collecting passwords.”
“Malware can propagate from unprotected mobile devices to organizations’ cloud- or on-premise networks,” the report warns, “exploiting this weak link in enterprise security defenses.”
So if IT staff recognize a potential wide-ranging threat from mobile devices, why is there a lack of urgency to create defenses against attack? The Ponemon research suggests that user-convenience of the devices in the enterprise outweighs security concerns.
“The security of apps often does not receive the priority it needs because of the pressure to ensure mobile and IoT apps are easy to use,” the report states.
In addition, notes the report, in some organizations it is unclear as to which groups are responsible for securing mobile devices.
“The functions most responsible for mobile and IoT security are outside the security function,” the report found. “Only 15 percent of respondents say the CISO is most responsible and only 11 percent of respondents say application development is primarily responsible for security of apps. In the case of IoT apps, only 5 percent of respondents say the CISO is primarily responsible. Instead, the head of product engineering and lines of business are most responsible (31 percent and 21 percent of respondents, respectively).”
The Ponemon report identified a rush to deploy mobile and IoT apps as another significant vulnerability for the enterprise.
“Sixty-nine percent of respondents say pressure on the development team is why mobile apps contain vulnerable code and 75 percent of respondents say the same reason contributes to vulnerable code in IoT apps,” according to the report. “Accidental coding errors in mobile and IoT apps are another primary reason for vulnerable code (65 percent of respondents). An additional issue affecting the security of apps is the lack of internal policies or rules that clarify security requirements.”
