One thing that 2020 taught us is that you can do anything with a mobile device. My smartphone and tablet have become my go-to for shopping, banking, watching TV and video chatting with family and friends. I’m also getting a lot of work done on them. Basically it has become the center of both my personal and professional lives.
Here’s the dilemma a lot of organizations are facing: while away from the office, your workers are using their mobile devices to stay productive. And they’re doing so while juggling personal responsibilities on those same devices.
You know you can no longer rely on perimeter-based tools now that most people are working away from the office. At the same time, productivity suites like Microsoft 365 and Google Workspace and cloud apps like Workday and Salesforce are giving your workers instant access to your organization’s data and infrastructure.
So how do you secure your data in this new reality?
Here are three questions to ask to understand if your organization is ready
1. Is your employee training too focused on desktop computers and email?
Historically, cybersecurity training was focused on desktop computers and email. But the cyberattackers have expanded beyond both.
Mobile devices are more exposed to phishing threats and suffer the same or greater app, device and network threats. They also have as much access to your data and infrastructure as any other endpoint.
To defend against mobile threats, you need to make sure your training is aligned.
Your employees need to understand that they can receive a phishing link within any app on a tablet or smartphone. In addition to email, they can receive a malicious message within texting apps, social media platforms or even dating apps.
Moreover, the classic ways to spot phishing links on a desktop computer are no longer possible on tablets and phones. With a simplified user interface, many details are hidden like the full email address and URL. One can’t just hover over a link to check whether it is legitimate.
As an organization, employees need to understand risks from mobile apps. With the blending of personal and work on a mobile device, there are hidden risk and compliance issues. Some apps may seem harmless from a personal-use perspective, but they actually have detrimental effects on your organization's governance, risk and compliance requirements.
2. Does your Zero Trust strategy include all your endpoints?
The gist of Zero Trust is that you need to assume that no user or device is trustworthy until its risk level is verified. Furthermore, the risk-levels must be continuously verified and access privileges adjusted. This becomes especially important as most of us work away from the office and are using unmanaged devices and networks to access corporate data.
Successfully implementing Zero Trust requires visibility into the risk level of all your endpoints’ and have dynamic access controls in place. Traditional endpoint security may provide a risk assessment of laptop and desktop endpoints, but you also need to assess the risk level of mobile endpoints to deploy Zero Trust.
Workers are increasingly using their tablets and smartphones for work. If you don’t have visibility and access controls implemented on those devices, cyberattackers will exploit this security gap, rendering your Zero Trust strategy ineffective.
3. Do I have the ability to investigate mobile-related threat incidents?
The cost and frequency of cybersecurity breaches are increasing. And in addition to black-and-white threats such as malware, you know that there are file-less cyberattacks that don’t include malicious code and include different types of endpoints. To truly understand and investigate a threat incident, your team needs telemetry data from all endpoints.
Many organizations now have telemetry data for servers and desktops and laptop computers that enables threat hunting and incident investigations. But if that is where the visibility stops, then you cannot know about attacks that start phishing, app vulnerabilities or device compromise on your mobile endpoints.
Similar to Zero Trust, you cannot effectively stop beaches without access to global telemetry data from mobile endpoints.
Securing mobile devices is no longer an option
I recently asked a customer why they first deployed Lookout. They said that enabling employees to access Microsoft 365 on mobile endpoints would create a compliance violation. They rely on the NIST framework for meeting several compliance regulations and have followed the guidance of NIST 800-124.
You could have point-in-time health checks of user accounts with some security tools, but that’s not enough. You need continuous risk assessment and rich telemetry from the endpoint. Only with those insights can you enable dynamic Zero Trust access as well as hunt for threats and investigate advanced cyberattacks.
Visit our mobile security page to understand why mobile devices are a critical component of your cybersecurity posture.