How to Build a Mobile-First Security Strategy
Mobile devices have radically changed the way we work and collaborate. But along with the exponential growth in the use of smartphones and mobile apps has come a surge in vulnerabilities and exploits.
The power of mobile communication allows work to be done anywhere, anytime, by employees who are accessing ever-higher volumes of data to do their jobs. Mobile apps have become so ubiquitous and powerful that developers are making them more and more sophisticated to deliver higher-value services, experiences and data.
Not surprisingly, this has created an escalating vulnerability gap: more mobile devices means more mobile threats — and more blind spots as IT and security teams scramble to identify all those devices as they connect to their networks.
So clear is the growing need for a comprehensive Mobile Threat Defense (MTD) solution that numerous top-tier regulatory bodies, analysts and other experts have issued guidances on how to mitigate advanced threats.
Kern Smith, vice president of global sales engineering for Zimperium, painted a clear picture of the emerging threats from mobile devices — as well as five clear principles of a mobile-first security strategy to mitigate those threats — at Ivanti Solutions Summit 2024 in Dallas in April.
A clear, growing threat
Since the launch of the iPhone in 2007, we’ve had plenty of time to gather reams of data about mobile device usage and the workplace vulnerabilities that have grown around that usage, Smith explained.
The most stark figure to know? $29 billion. That’s the financial impact of digital fraud stemming from mobile usage. Additionally, 46% of businesses have reported suffering reputational damage from that fraud. It’s no wonder why 88% of businesses indicate that cyberrisk is a board-level priority viewed as a direct business risk. Smith shared a host of other eye-opening statistics from Zimperium’s 2023 global mobile threat report:
- 138%: The year-over-year increase in critical Android vulnerabilities discovered.
- 80%: The number of zero-day mobile vulnerabilities actively exploited over the past year were for Apple iOS.
- 1 million: The number of reconnaissance scans detected to discover device vulnerabilities on mobile.
- 80%: The number of phishing sites that specifically target mobile devices or are designed to function on mobile and desktops.
The types of mobile threats
All the most common methods used to target desktop computers are being used to target mobile devices, Smith advised. And each method has a unique aspect to how it is exploited.
- Mobile Phishing: QR phishing codes are growing in use to bypass traditional phishing filters that target mobile devices via official email or other communications. And, the average user is six to 10 times more likely to fall for an SMS phishing attack than an email-based one.
- Spyware: Spyware kits, services and source code are commonly traded and shared on the dark web — and even on mainstream repositories like GitHub or online communities like Reddit.
- Mobile Ransomware: In 2022, mobile ransomware moved from an experiment to a legitimate threat — from simple overlays that could be dismissed with a reboot to ones that encrypted files and locked down the device for real.
- Malware: The vast majority of Android malware is delivered from third-party app stores.
Guidance from regulators
So prevalent are mobile device vulnerabilities that numerous guidelines and regulations have been created specifically to promote implementation of effective MTD strategies.
The National Institute of Standards and Technology (NIST), for instance, revealed its latest recommendations in publication SP800-124 Revision 2, urging enterprises to implement MTD, Mobile Application Vetting and Unified Endpoint Management to secure mobile devices.
Enterprises can also employ NIST’s Cybersecurity Maturity Model Certification, which specifies the implementation of mandatory protective software and scanning of devices for malware and critical security updates.
Meanwhile, the Cybersecurity and Infrastructure Security Agency (CISA) advised in its Binding Operational Directive (BOD) 23-01 that agencies must perform the same type of vulnerability enumeration on mobile devices and other devices that reside outside of agency on-premises networks.
Further, the Health Sector Cybersecurity Coordinator Center (HC3) recommended that security software be installed on mobile devices to prevent viruses, spyware and full-fledged cyberattacks.
5 Mobile-first security principles
Handling the mobile device threat in the coming years starts by adopting a mobile-first security strategy, Smith advised. He offered five essential steps for protecting organizations and their data, as well as employee privacy:
- Prioritize risk at the edge: Secure the mobile-powered business reality across all devices and apps and any platform.
- Operate in a known state: Maintain complete visibility of your mobile ecosystem and risk level, automatically assess vulnerabilities and never throttle productivity. Your mobile ecosystem must be measurable, auditable and insurable.
- Step up detection and response: Detect and prioritize anomalies, contextual threat response, resolve vulnerabilities and incidents proactively, embed security across device and application lifecycle for tamper-proof/threat-aware mobile experiences.
- Start the autonomous journey: Dynamically respond to threats and ever-changing mobile ecosystem, automatically isolate compromised devices/ untrusted environments, scale a proactive security posture, build resilience.
- Never break the law: Govern compliance, stay ahead of global regulations, maintain data sovereignty and adhere to privacy regulations while respecting work/life boundaries.