For many years, the biggest barriers to enterprises mobilizing their workforce has been based more on technology and management. For example, “how do we weave mobility solutions into our existing IT infrastructure” and “how do we find the resources to properly manage them”? And, while these barriers to entry still exist, many reports and surveys are showing that security has recently surpassed them to become the biggest barrier instead.
“IT security has grown in importance to decision-makers so much that it has become the biggest challenge and inhibitor to enterprise mobility and digital workplace overall; it was cited by 22 percent of respondents. This represents a large shift since 2015, when our survey highlighted market complexity and technology change as the top barriers.”
These findings are in line with plenty of other surveys and reports we’ve seen but one thing piqued our interest: why now? As in, smartphones have been in workplaces for many years and IT has been familiar with the risks. So, why has security suddenly skyrocketed to ‘top of mind’?
We believe the first reason is that the mobile security threat has evolved from a “threat in theory” to a “threat in practice”. The risk of smartphones, for many years, was simply more of a “what if” discussion, which meant IT typically prioritized other risks first, like network firewalls and anti-virus. But that has changed significantly, even in just the last 36 months. Gartner says that mobile attacks have grown by more than 100% in the last year, and Skycure’s own data shows some staggering statistics. Even for small enterprises (< 5000 employees) over half of the mobile devices have unpatched vulnerabilities, one third have been exposed to suspicious networks, and 1 out of 100 devices has a malware infection.
To say that mobile device attacks and hacks are on the rise would be a significant understatement. Using public CVE data, iOS is on track to have 4 times as many vulnerabilities as it did in 2016, and Android is on track to have 1.5 times as many. Not only is the volume increasing tremendously, but so is severity, with almost 20% of iOS and 50% of Android vulnerabilities ranked as high severity! This evolving landscape continues to pose a greater and greater danger to organizations.
Another reason is that hacks and attacks aren’t private anymore. It often becomes a huge story when a company is hacked which means bad press and unhappy customers in addition to whatever data was lost in the attack. Not to mention after an attack or hack, companies are often liable for things like fines and paying for customer’s identity theft detection.
The third and final reason is upcoming legislation that aims to force accountability by imposing stricter regulations on how companies handle their user’s privacy on mobile devices (and other devices, too). In Europe, for example, the General Data Protection Act (GDPR) will go into effect on May 25th, 2018. It may sound afar, but that’s only a year away! GDPR will require many more data security and accountability principles, including requirements like:
- right for users to be forgotten (data purge)
- privacy by design
- transparency of what data is collected
The authors of GDPR specifically noted the ability of smartphones to capture private information on users, proscribing understandable privacy notice and active consent from users prior to any collection of private data. But, GDPR doesn’t just outline what companies must do, they come with hefty fines for any company in violation. For example, companies in the European Union can be fined 20 Million Euros or 4% of their worldwide annual revenue (whichever is greater) for breaking these regulations! The EU decided to make sure that the fines were significant enough that companies couldn’t approach the potential fines as merely “business as usual”.
Given the new requirements, picking the right mobile security solutions will be critical for compliance, too. The SANS Institute published a great report about the A Holistic Approach to Securing Mobile Data and Devices, which included a useful checklist for selecting a solution. Some of these requirements align with GDPR guidelines, like making sure the official app is publicly available so it does not rely on using side-loaded private APIs will actually be high-risk for violating GDPR. Private, side-loaded apps might not obtain the proper data collection authorization prior, and may breach specific user privacy requirements.
All of this really equates to one simple fact for companies: it is now significantly more economical to invest in the right mobile security solution upfront – one which prevents these attacks and hacks outright. The cost of a hack or attack, at this point, is simply too great for companies to skimp. For that reason, it is imperative that companies take the time to find a mobile security solution which delivers some key tenants to keep users, their devices, and their data safe, as well as ensure compliance with regulations like GDPR:
- Multi-layered, whereby the solution works across a number of levels ranging from the device itself, to mobile app reputation, to crowd-sourced intelligence, and more.
- Cross-vector, as in a solution that can monitor for, detect, prevent, and automatically mitigate threats across all the key mobile threat vectors: malware, malicious networks, and OS/configuration vulnerabilities.
- Integrations, such that mobile security solutions can work seamlessly with existing enterprise mobile management (EMM) or mobile device management (MDM) software.
Picking the right mobile security solution will be tantamount to a company’s success going forward, and this is evidenced by security now ranking #1 on the minds of IT buyers. In a world where mobile devices are essentially a workplace requirement, so is a mobile threat defense solution which can protect users, their devices, and your data, while keeping your company in regulatory compliance, too.