Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Identifying Mobile Blind Spots

Until We Know What is Occurring on Devices, We Cannot Determine if Our Controls are Effective at Managing Risk…

Until We Know What is Occurring on Devices, We Cannot Determine if Our Controls are Effective at Managing Risk…

Be it corporate owned or BYOD, the enterprise has gone mobile. We talk about BYOD a lot because it’s new, scary, and it’s harder to control, but at the end of the day both corporate-owned devices and BYOD have something in common – companies don’t really know what’s happening on them.

IT monitors network traffic, servers and desktops and as a result, they have a pretty good sense of the risk each of these poses. If you lose a backup tape you understand what the exposure is. You can easily determine what was on that tape and understand the liability – exactly what data is at risk. If you lose a mobile device however, many companies cannot answer the same questions.  Yet there is just as much sensitive data on mobile devices these days as on our backup tapes. We have to gain that visibility because we can’t control what we can’t see.

BYOD Risks

Most companies have some sort of mobile policy in place; however, many still don’t understand the true risk that mobility poses to their organization. They provision devices or let users have access to resources on their own devices, but they don’t really understand what data they are actually accessing, what the user is doing with the data on the device, or where the data is going, let alone how to secure it.

I recently spoke with a Fortune 100 company that felt that they had a solid mobile security solution. However when asked, from those implementing the security to those setting the policies, no one really knew what the mobile security tools in place were protecting. Furthermore, they had no idea what was really happening with their corporate data, how access to corporate applications, both internal and cloud-based, were being protected on the device, or whether or not applications could access the VPN. They assumed that the MDM solution they had in place was doing what it needed to do; when in fact, it didn’t even come close. They weren’t actually protecting what they thought they were protecting, weren’t mitigating the risks they thought they were mitigating – they had a big mobile blind spot: visibility.

Until we understand what is occurring on devices, we cannot determine if our controls are effective at managing risk. How can we if we don’t know what’s being protected, what’s not, and how devices are being utilized? Until we have these facts, we’re just making assumptions. The way to overcome this is by gaining visibility into what’s really happening at a granular data level. Armed with these insights, we can craft proper implementations and controls to meet both the organization’s requirements for risk management as well as the employee’s requirements for productivity. As we know this second part is important in the BYOD state. Without it users will go around controls, and create more blind spots.

Many of us create our own blind spots through assumption. I spoke with another company recently that had assumed that their security solution was encrypting everything (mobile, application, data and device); however when they looked further they realized that the encryption only applied to certain parts of the operating system and did not actually protect the application data they were most concerned about – the ones that contained confidential information. Without protection for third-party apps, they had a big mobile security gap. This is when they realized that they needed a solution that would protect the data stored by the applications that their employees were using. Figuring out what data was traversing these applications –both on and off of the device — was the first step to controlling, and ultimately protecting, their corporate data.

Beyond that, it’s important to understand what data is on the devices, how it got there and where it goes from the device. Fundamental insights include which applications are opening or copying data on the device or in the cloud, whether users are emailing or sharing the data with applications that have loose privileges or permissions, as well as the content and context of the data stored on these devices. It’s not enough to know that a corporate file is being stored on a device, but to know what kind of file it is. Is it PCI or HIPAA sensitive? Does it contain account data, product design, etc? Understanding how people are using data on their devices provides insight into how to support them, and ultimately allows IT to put better policies in place to manage risk. Going back to the lost device scenario above, it helps IT understand the true risk when a device is lost because they now have detailed insights into what was on the device.

Advertisement. Scroll to continue reading.

Lack of insight into data has caused a gap in our controls. Many organizations are simply relying on what’s natively on the device – using configuration tools and hoping that’s enough – but if we don’t know where the data is or what people are doing with it, how can we really protect that data? We can’t. We’re just checking a box for the sake of checking a box. The same is true for applications.

Today, many organizations still don’t understand which applications carry sensitive data and which need to have enterprise security controls. Nor do they know which applications their teams are using and which they need to support. Without this, we can’t apply appropriate controls to those applications – again creating a gap in our mobile security controls.

Just like any blind spot, mobile blind spots simply require additional tools to give us the visibility we need to keep the most important thing safe. Be it the passengers in a car, or confidential corporate data, visibility enables us to make the right decisions, whether changing lanes, or implementing mobile security policies.

Related: Dealing with Mobility and BYOD Security Challenges? Start with The Network

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.