August 23, 2017

min read

Data Leakage on Mobile: How to Think About Behaviors and Configurations

Man looking at phone

A CISOs' number one priority is to protect the enterprise from data loss and leakage. This means protecting all endpoints - mobile included - from attack. What often is overlooked, however, are the many ways the mobile environment may inadvertently put enterprise data at risk.

Malicious attack against mobile vectors is only one of the ways enterprise data is put at risk. As most security professionals know, humans are often patient zero in data breaches.

Employee behaviors and non-malicious apps are just as capable of leaking enterprise data as  malware.

The Spectrum of Mobile Risk outlines the variety of ways enterprise data can be compromised through mobile devices. The most obvious ways are through app-based threats and vulnerabilities in mobile operating systems. Threats and vulnerabilities represent two "Components of Risk." The third, "Behaviors and Configurations" is less obvious, but a central way enterprises data is compromised on mobile devices.

Lookout Mobile Risk Matrix

Get a deeper look into the Mobile Risk Matrix here.

Let's take a deeper look into behaviors and configurations:

App Behaviors & Configurations: How app permissions can impact enterprise data

App developers routinely ask for more permissions than the app the app needs to function. They do to this to avoid asking users to grant permissions each time a new feature is released. Usually these permissions requests are wide-reaching and unnecessary. This is an example of an app behavior and configuration risk.

According to exclusive research from the Lookout Security Intelligence team, across enterprise iOS devices protected by Lookout 30% of apps access contact records and GPS data, 31% of apps access the calendar, 39% of apps access the microphone, and 75% of apps access the camera.

Employees, on the other hand, have "next-next-next" syndrome, accepting notifications in order to resume normal activity on the device as soon as possible. We've seen this for years with terms of service agreements.

Neither app developers nor employees have full insight into a company's risk tolerance, regulatory responsibilities, or internal security policies. Because of this, apps often do not transmit or store data in a way that satisfies an enterprise's security requirements, such as compliance standards like GDPR, SOX, and HIPAA.

Watch Lookout Chief Strategy Officer Aaron Cockerill discuss the dangers of app risks in this video.

Mobile Threat Defense (MTD) is a scalable solution to the challenge of leaky apps. CISOs can take back control of data by enabling conditional access policies through MTD. An example of such a policy is, "If an app that can read and write to the device's calendar is present on an employee device, block device access to corporate email."

See this demo on how Lookout Mobile Endpoint Security custom policies feature enables enterprise security teams to protect data from mobile risks.

Device Behaviors & Configurations: Jailbroken and rooted devices exist in your mobile environment today

Jailbreaking and rooting are not fringe activities. Employees alter their device's state in order to remove preloaded applications, customize their operating systems, or download software that the device does not otherwise support.

In fact, 1 in 1,000 of our enterprise-protected iOS devices are jailbroken and 5 in 1,000 of our enterprise-protected Android devices are rooted, according to data from the Lookout Security Cloud, which is powered by a global network of over 100 million devices that contribute to a massive dataset of over 40 million mobile apps.

Devices in this state often do not receive regular software updates, leaving them open to publicly disclosed software vulnerabilities.

Other examples of device behaviors and configurations risks include:

  • Employees not enabling a passcode on the device.
  • Employees enabling USB debugging on Android (which allows an individual to load software to a mobile device via a USB).
  • Employees installing apps from non-official app stores, including by enabling "unknown sources" on Android devices or allowing "enterprise configuration profiles" on iOS.

Web & Content Behaviors & Configurations: Phishing on mobile is one of the main ways enterprise data is compromised

Phishing is a "web and content" behaviors and configurations risk. Risks associated with this sector of the Mobile Risk Matrix can summed up by employees opening email attachments from unknown people or clicking links in SMS messages or other messaging apps. Attachments might contain any type of content, but tend to be media files. When accessed, these files pose the risk of exploitation and phishing by malicious content or a malicious web page.

Though phishing is a malicious attack, it takes the often unintended employee action of clicking the link to cause data compromise.

Protect data by accounting for the entire Spectrum of Mobile Risk

Mobile devices are essential tools for employee productivity, but they open up new ways for employees, apps, and other software on the device to unintentionally risk enterprise data. Failing to protect data from Behaviors and Configurations risks leaves an enterprise open to serious loss of sensitive data. This can lead to hefty regulatory fines associated with compliance issues and damage to brand reputation.

Enterprises need a comprehensive mobile security solution that addresses all components and vectors on the Spectrum of Mobile Risk. Security organizations that employ an effective mobile threat defense that provides visibility into the entire spectrum of risk, assurances of mobile app reputation, and mobile vulnerability management, will enable their employees to get the most value from mobile technology, securely.

Want to learn more about how mobile behaviors and configurations risks impact your enterprise? Contact us today.