Technology moves at a rapid pace. In 2008, a bold prediction proclaimed, “Mobile to overtake fixed Internet access by 2014.” Well, in 2019 we can unequivocally say that Mary Meeker, a technology analyst and source of that quote, was absolutely right. Today, there are whole countries whose mobile internet usage, in terms of time, is more than double that of fixed internet. Among that list of countries is the United States of America, according to ComScore.
Therefore, if you are a business without a mobile application or an effective mobile website, you are missing out on, literally, millions and millions of customers who are on the internet entirely through mobile.
Yet, with great opportunity also comes potential risk. Understanding the mobile security framework and how to protect yourself is key to maximizing profits and minimizing risk.
What is a Security Framework?
The textbook definition of an information security framework, according to Techopedia is, “A dedicated hardware security layer, in conjunction with third-party software, can be used to safeguard privacy. Comprehensive security requires the architecture implementation of strong authentication and access controls in order to perform encrypted transmission.”
There are four common security frameworks. They are as follows:
- NIST SP 800-53: The National Institute of Standards and Technology Special Publication was published in 1990. It has gone through many iterations. Initially, NIST was for government agencies to help follow the Federal Information Processing Standards. However, many in the private sector follow their practices.
- COBIT: The Control Objectives for Information Related Technology was formed in 1996 to help reduce the risk for financial organizations. Its latest version hopes to improve aligning technology and business strategy.
- ISO 27000 Series: The International Organization of Standardization is, obviously, an international set of wide-ranging standards that police privacy and the best practices of the International Electrotechnical Commission.
- CISQ: The Consortium for IT Software Quality created standards for automation of analyzing software size and structural soundness.
It’s understandable if much of this sounds like technical mumbo jumbo. That’s because it is, however, that doesn’t mean that it isn’t completely vital. Ultimately, a security framework is specific controls and standards that help keep businesses and government alike safe from cyber attacks.
They also maintain the rights of private citizens whose information is held on the mobile security frameworks of said entities. Most entities utilize hybrid security frameworks that allow them to pick and choose the policies and controls that best protect themselves and meet industry compliance standards.
Assess your mobile security
What is the Mobile Security Framework?
A mobile security framework is the same as the security frameworks that we outlined above. Except, a mobile security framework fits within the larger security framework to specifically protect mobile users within the larger technology ecosystem. Maintaining a strong mobile security framework is crucial for business as the proliferation of mobile use continues to skyrocket. According to Statista, there were 178.1 billion mobile apps downloaded in 2017 and that number is only projected to grow.
Such explosive growth creates an opportunity for businesses, but also, for hackers. Cybercriminals, for all their sophistication, are simply following the numbers, taking advantage of loopholes and backdoors. PC users are more likely to be hacked than Mac, not because Mac computers have superior security but because the number of PC users outnumbers Mac users by a lot. Therefore, hackers will spend more time creating viruses and attacking PC’s because there or more PC’s out there to steal from!
The exact same thing is happening with application and mobile devices. Hackers are seeing the giant growth in mobile use and are tailoring their thievery to take advantage of such growth. Individual users and more importantly, businesses, need to understand the risks of apps and mobile sites so they may properly protect themselves with web and app security. That is where the mobile security framework comes in.
Testing Your Mobile Security Framework:
The need for mobile security is more crucial than ever. That is why developers have created a number of mobile security framework open source websites and apps. Whether you run Android, Apple or other, these sites and apps have been created so you may test the efficacy of your mobile app.
Understand that these open source applications are not the mobile security framework itself. For that you need an IT team to set that up, but instead, it is an easy way for you to test your mobile security framework. They are very handy and highly recommended for any business no matter the size. By utilizing these sites, you can test the strengths and weaknesses of your mobile website or app.
Believe it or not, according to a Forbes survey:
- “89% of organizations are relying on just a single security strategy to keep their mobile networks safe.”
- “61% report that their spending on mobile security had increased in 2017 with 10% saying it had increased significantly.
- “Just 39% of mobile device users in enterprises change all default passwords, and only 38% use strong two-factor authentication on their mobile devices.
- “Just 31% of companies are using mobile device or enterprise mobility management.
When you put those statistics together, they make sense. They also show how far behind most companies are when it comes to their mobile security framework. Any mobile app security expert would cringe at those numbers and imagine all the ways hackers could cause millions of dollars in damage.
RELATED ARTICLE: What You Need To Know About Mobile Penetration Testing
Complications Everywhere:
A big part of the reason so many companies are exposed to potential hacks is how quickly technology is moving. Businesses see the huge financial advantages of cloud computing and mobile adoption but tend to ignore what those advances require in order to be maintained.
It’s a much better speech to share with stockholders on how much money can be made through the rapid improvement of cloud computing and reaching so many more users through mobile development. Compare that with how much the complex security layers will cost that are required to make it all work.
The common mistake many entities are making is pushing toward performance goals through mobile development without taking the proper steps to ensure all this development doesn’t come back to bite them in the behind.
According to a Verizon Mobile Security Index of 2018, “32% of enterprises are sacrificing security for expediency and business performance, leaving many areas of their core infrastructure unsecured.” That quote rings like Christmas carols to ears of hackers everywhere. So, too, do these other findings from that same report.
- “79% of enterprises consider their employees to be the most significant security threat.”
This is largely due to the fact that we all use our phones for everything. We mix business, pleasure and everything in between on our mobile devices. For large enterprises, that is a security nightmare. It introduces all these unsecured devices into the system that make monitoring it all extremely difficult. That is part of the reason why certain security platforms that offer risk assessment and security assessment based on behavioral patterns to match employee’s identities are becoming more popular. That way if a hacker has commandeered an employee’s mobile device, this software can ring the alarm that this mobile device is acting in a malicious manner.
- “32% of enterprises have sacrificed security for expediency and business performance leading to 45% of them suffering data loss or downtime.
We previously touched on that 32% of enterprises sacrificed speed for safety. Nearly half of them surely regret that decision. It’s also likely that the number is higher as many companies don’t report data breaches for fear of negative publicity. The flip side of that coin was that of the “68% who prioritized security over expediency, just 19% had suffered data loss or downtime.”
- “Just 49% of enterprises have a policy regarding the use of public Wi?Fi, and even fewer (47%) encrypt the transmission of sensitive data across open, public networks.”
Add the fact that, “71% of respondents use public Wi-Fi networks for work tasks, despite their companies prohibiting their use.” You can see that a major security policy problem exists based on Wi-Fi policies alone. If these numbers are accurate, the majority of enterprises are as leaky as an old sink. With these mobile security threats and vulnerabilities, It’s no wonder that every day there is another story regarding the security breach of an organization with massive amounts of sensitive information and corporate data. Read more about the top 5 mobile security risks and threats in our related blog post.
At the end of January, the largest data breach ever recorded was released on the internet. According to Jake Moore, cybersecurity specialist at ESET, “This is a start of something far more significant than anything we have seen before. Hackers are becoming even more sophisticated and, hopefully, this is a massive wake-up call to anyone with an email address.”
Yikes! Since just about all of us have email addresses, it’s probably time we all sat up and paid attention.
Best Practices For A Secure Mobile Security Framework:
The unfortunate reality of cybersecurity, whether it is for mobile or for fixed internet, is that no security framework works unless the people using it are aware of the dangers. It’s similar to the notion that a door lock only works if the person remembers to lock it. Cybersecurity is, naturally, leaps and bounds more complicated than that. However, the same idea applies.
In the world of cybersecurity, employees using their own devices for both businesses and personal use is one of the many unlocked doors that create security challenges. It’s the Bring-Your-Own-Device (BYOD) conundrum that every forward-thinking company must address if they are to properly protect themselves. 2018 saw mobile banking trojan viruses and third-party app malware reach never seen before heights.
Any business not strenuously emphasizing the importance of cyber security to their employees is negligent in their duties and likely to face the wrath of hungry hackers. Here are a few other cybersecurity risks to watch out for that have exploded in recent months.
Invest In Mobile Malware Protection:
Any secure BYOD will include a mobile malware download that helps keep your employee’s phone from becoming patient X for a massive security breach. Also, having remote access to your phone in case of a hack is recommended. That way you can data wipe it if the phone is lost or stolen.
Strong Passwords:
You likely hear enough advice from your own device about the strength of your passwords, but a strong password goes a long way. Believe it or not, one of the most common ways hackers enter a system is by digitally guessing passwords. It may be really annoying when you forget which letter is a capital and which is a money sign, but it’s a lot better than being fired for inattentive cybersecurity practices. Multifactor authentication is also a strong deterrent against hackers.
Use Separate Mobile Gateways:
Some information is so sensitive that it should not be accessible by mobile. By creating a separate mobile gateway, you can more securely monitor the flow of information. The more differentiated your system is, the easier it will be to catch suspicious behavior within the network.
Conduct Regular Audits:
It would shock you to learn how many data leaks occurred without the company’s knowledge. In some cases the hackers had infiltrated the system months ago and were mining cryptocurrency, taking sensitive information and generally having run of the place without anyone finding out.
How often should you audit your cyber security? Performing audits on a consistent basis alleviates that concern and allows management to sleep easy, knowing that their system has been checked for leaks. Burying your head in the sand is not a strategy. The earlier you learn about a data leak, the less damage that can be done.
Educate, Educate, Educate:
Whether it was when you were a student or as an employee, on the job training is never fun. In fact, in can be downright boring. However, cybersecurity awareness training is the best way to ensure that your company is secure. Employee’s online behavior is the number one concern and cause of data breaches. Impressing upon the importance of best technology practices and creating an environment of accountability are the most effective paths to keeping your company safe. Read more in our related blog article about why your team needs cyber security education.
Check out RSI Security for more information on adopting a mobile security framework in addition to all aspects of cybersecurity solutions.