Improving mobile app security in a BYOD world
Adoption of mobile apps for personal and professional reasons continues to rise as employees embrace new remote-work tools during the COVID-19 pandemic. The thin line demarcating the personal and professional blurs more and more each day as many at-home workers are using personal equipment to access corporate networks and data. This shift has magnified the landscape of security risks inherent in mobile apps.
The use of personal devices in the workplace, often referred to as “bring your own device” (BYOD), has introduced significant security and privacy risks to organizations, their employees, and their customers. These risks are very real – and they are rising. In the Verizon 2020 Mobile Security Index Report, 39% of responding organizations reported a security compromise involving a mobile device. That represents a 44% jump in mobile-related incidents over the past two years.
Zoom, a videoconferencing tool used by millions of people for work and personal communications, became a breakaway success early in the COVID-19 crisis. The app’s sudden popularity has significantly expanded organizations’ cybersecurity attack surface and attracted the attention of cybercriminals who are developing Zoom-themed malware. The company is scrambling to address high-profile security issues that include disruption of meetings (“Zoombombing”), malware implants, and inadequate encryption for unpaid accounts.
Even established, more prosaic technologies like virtual private networks (VPNs) can invite compromise and data-privacy violations. Without proper configuration, organizations may be vulnerable to a range of risks that includes malware, unsecure default user permissions, and exposure of user traffic to DNS leaks.
Potential risks of unsecured devices
Multiple factors make mobile devices and apps inherently vulnerable to cybersecurity and privacy threats. Apps are often designed by companies with little experience in cybersecurity and are rushed to market without proper security considerations. Businesses that quickly embrace the use of these mobile apps often skimp on implementing the processes and tools needed to secure their networks, like encryption, data governance, and mobile security guidelines, to name a few.
Unsecured apps would pose less of a risk if they didn’t come into contact with any sensitive data, but that is not the case. Individual users store troves of personal and professional information on their mobile devices, and any of their numerous downloaded apps can access that information. Most users give away an inordinate amount of personal information for free. Take as an example the personal and professional information shared on social networking platforms such as LinkedIn. Names, hometown, schools, degrees, causes supported, “kudos” to the personal posts of others – lots of information that can also be used adversely. The same could be said for the information that users freely give away for the sake of convenience. Apps to create to-do lists, supermarket lists, calendar integrations, funny cat videos, efficient directions; each comes with its own, predominantly unread, terms and conditions for using the app and establishing the data the app can then access.
Using information from social media, corporate reports, and streaming video, cybercriminals can build a deeply personal dossier that helps create a more convincing campaign of deceit. That’s a boon to cybercriminals, who use these platforms to gather information and optimize social-engineering schemes that underlie phishing, ransomware, and business email compromise attempts.
Employees, in fact, often empower adversaries by generating a large amount of data. Consider that smartphone users may grant apps broad access to the device’s location services, camera, contacts, and calendar – all without considering whether these permissions are legitimate or necessary. Workers should be encouraged to take the time to understand and take responsibility for data security and privacy of corporate data on their personal devices.
Steps toward mobile security
A strong, effective mobile security program is typically built on a foundation of mobile device management, or MDM.
MDM centralizes and automates remote management of mobile devices. Some of the newer MDM solutions create two partitions on the device’s hard drive. One section houses a corporate workspace, while the second stores all personal data. This arrangement enables IT to block downloads to the virtual corporate workspace while allowing them on the personal area.
MDM can also enable businesses to delete all apps and data from employee devices, regardless of ownership, upon separation or violation of policies. This type of policy should be carefully vetted for potential legal and privacy concerns related to laws such as the California Consumer Privacy Act (CCPA) and other state regulations. California, along with a handful of other states, protects personal information stored on devices, and deletion of data could expose businesses to legal scrutiny and privacy violations.
In addition to MDM, organizations will need to carefully assess and configure an interconnected ecosystem of software, systems, and processes. Specific considerations include:
- Data governance: A data governance program can help organizations understand data stored and used by mobile devices, as well as who has access to the data and with whom it is shared.
- Data loss prevention: DLP helps protect data by prohibiting employees from sending sensitive information outside the corporate network. DLP can also help safeguard a mobile workforce and enforce BYOD security.
- Virtual private networks: Proper configuration of VPNs is critical to mobile security. Organizations can strengthen VPN gateways by integrating technologies such as whitelisting and end-to-end encryption. Administrators should not use vendor-supplied configurations, nor should end users employ a consumer-grade VPN.
- Antivirus software: Effective antivirus software should be installed on personal and business-owned devices. Antivirus solutions help strengthen security by scanning devices for malware and privacy violations, as well as by providing safe browsing.
- IT approval: Organizations should establish processes for IT to assess and verify all apps that are used on personal mobile devices.
- Company store: Larger organizations should consider establishing a corporate mobile app store stocked with authorized applications that have been vetted by internal security teams.
Getting personal about security
People are deeply attached to their mobile phones. As a result, all mobile devices are personal devices, whether owned by the individual or the organization. Businesses that embrace this concept will be better able to connect with employees and develop a more personal approach to mobile app security.
Making the human connection is critical because most mobile security incidents result from user error. It’s essential, therefore, to educate employees on current threats as well as cybersecurity and privacy policies and cyberhygiene. Training for people-targeted attacks like phishing, for example, can help employees identify attempts through incorrect spelling, idiomatic language, and spoofed URLs. This approach can empower employees to think through potential risks in real time.
For their part, business leaders should proactively articulate and foster a culture of security in which every person plays a role. Ultimately, this type of deep-seated culture can help organizations limit the risks posed by unauthorized apps, spot telltale signs of social engineering attempts, and avoid loss of sensitive data.
Monitor your cyberhealth
As with any strategic initiative, there is no singular approach to mobile app security. If you need experienced guidance in designing and implementing a mobile security strategy, get in touch with CohnReznick’s Cybersecurity, Technology Risk, and Privacy practice. If you’re ready to assess the efficacy of your mobile security program, check out our cyberhealth workshop.
Any advice contained in this communication, including attachments and enclosures, is not intended as a thorough, in-depth analysis of specific issues. Nor is it sufficient to avoid tax-related penalties. This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice specific to, among other things, your individual facts, circumstances and jurisdiction. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.
Insight6 keys to a future-ready enterprise risk management (ERM) programMaurice L. Crescenzi, Jr., Bhavesh VadhaniAn optimized ERM program is critical to bringing your organization into the future. Ready to move yours forward? Download our infographic.
InsightCMMC compliance process: What to expect and five steps to takeBhavesh Vadhani, Daryouche BehboudiCohnReznick is sharing our accreditation journey to offer lessons learned and insights into what DoD contractors can expect on their journey to CMMC compliance. Learn more
InsightSEC proposes new rules on public company cybersecurity incident reporting, risk management disclosuresBhavesh VadhaniPublic companies could face a tight new timeline for disclosing material incidents, plus mandates to detail how they manage cyber risk. Read more.
InsightNew law requires ‘critical infrastructure’ organizations to report cybersecurity incidents, ransomware paymentsBhavesh Vadhani, Daryouche Behboudi, Deborah NitkaThe Cyber Incident Reporting for Critical Infrastructure Act requires certain entities to report attacks within 72 hours, ransomware payments within 24.