Recently I attended Gartner’s Security and Risk Management Summit outside Washington, D.C. Early in the week, I had a discussion with a security professional who asked me, skeptically, if mobile threats were actually something he had to worry about. He explained that mobile malware and mobile breaches were small blips on the security threat horizon. I realized he must have skimmed the new Verizon Data Breach Report and mistakenly thinks he should take ‘mobile security’ off of his to-do list.
On the contrary, and as my friend learned as the week went on, the problem is not mobile malware but that mobile devices and apps are rife with vulnerabilities.
Mobile security continues to be a top priority for CISOs. At the Gartner Summit, there were a number of mobile sessions and a lot of bar conversations ranging from how management of devices only takes CISOs so far, to securing mobile applications and whether or not to trust the mobile operating system. One-on-one conversations with analysts shed light on companies who are struggling to work security into the mobile app development process especially since, as Gartner analyst Ramon Krikken put it, “developers should write secure code, not security code.”
The increase in mobile security conversations shows that teams are still trying to figure out their strategy and how to address this new landscape of vulnerabilities. Companies I met with are finding that legacy solutions like EMM don’t address their security needs, thus they need something more to solve these new mobile challenges.
And the need is becoming more immediate. In the past weeks following the Gartner conference, researchers from a variety of organizations uncovered vulnerabilities in mobile apps and operating systems:
• A flaw in Swiftkey keyboard software on Samsung Galaxy smartphones put 600 million devices vulnerable to data theft, installation of malware and eavesdropping on calls
• A zero-day in the latest Apple OS allows approved apps downloaded through the Apple App Store to access other apps’ sensitive data
• A flaw introduced by poor programming practices used by mobile developers has exposed thousands of mobile apps to potential data breach
In fact, if my friend had taken a closer read of the Verizon report, he would have realized that Verizon made it clear that security practitioners should not ignore mobile because the landscape is changing, as demonstrated by these new mobile defects. Having visibility into the mobile environment to detect these vulnerabilities is critical, and followed closely by having the control to take action on them. Given this advice, I can see why enterprises are struggling. Legacy solutions that employ blacklisting or whitelisting of mobile apps seem completely inadequate in a world where tens of thousands of apps may have a single critical vulnerability.
As we head into the second half of 2015, it will be interesting to see how mobile security evolves and which companies make it a priority. Smart companies will move beyond device and app inventory management and look for mobile insurance polices. And those that take mobile security off their to-do list…well I guess we will know who by the headlines.
By Adam Ely