How to Protect Corporate Mobile Devices
There are several essential questions organizations must answer with regard to the protection of corporate mobile devices. What threats do we protect work smartphones from? Which mobile operating systems are more secure? How do approaches to combat threats depend on the chosen policy—BYOD, COPE, CYOD? What tools and methods are relevant today in the mobile security segment—containers, mobile anti-virus, zero-trust or other means? How effective are mobile threat defense solutions?
The Use of Mobile Devices in the Corporate Sector
How are mobile devices used in business? Does a phone or tablet connect to important business systems?
Mobile devices have become a big part of our life. They help keep track of various events through calendars notifications, instant messengers and other programs. Thanks to modern solutions, you can use your phone or tablet to create video and other types of content. In a corporate setting, some tasks are still best completed using desktop computers, but as mobile devices get more powerful, it’s conceivable that soon, almost every business-related task could be handled on a mobile device instead.
Software-as-a-service (SaaS) and cloud computing, not to mention the advent of COVID-19, pushed many companies to adopt bring your own device (BYOD) policies. Employees use their own devices—laptop, desktop, mobile phone, tablet— for work purposes. They exchange email and documents, work with calendars, communicate in instant messaging programs and collaboration tools, and access business apps that live in the cloud. Critical business information, including confidential data, is now often circulated through mobile devices.
Understanding the Mobile Threat Landscape
Before building a defense, you need to understand what to defend against. To what extent are the threats relevant to mobile devices different or the same as the attack vectors relevant to desktops and laptops?
External threats targeting mobile devices are primarily related to the possibility of exploiting vulnerabilities in operating systems. Another attack vector involves mobile apps containing malicious code. These can be found even in the official repositories of both iOS and Android operating systems. In the case of Android, there are also third-party app stores.
Attacks through instant messenging, QR codes, SMS and social engineering and deep fakes, as well as traditional threats related to phishing and brand hijacking are all potential threat vectors for attackers targeting mobile devices.
It should be noted that the phone and tablet are not always the end targets of attackers. Often, a mobile device is only a means to another malicious end; for example, to install a keylogger and obtain a multifactor authentication code that can be used to access other systems.
There also are threats involving wireless communication channels, which more often occur with regard to mobile devices than in stationary systems, as well as the peculiarities of using geolocation services to track a target. Today, a mobile device has become in some ways a personal identifier to which many services and applications are tied. This requires additional protection.
How to Secure Mobile Devices
There are a few options for organizations when it comes to protecting mobile devices. The first is providing employees with a corporate-secured device; essentially a “kiosk” that is not intended for everyday use. Another option is to provide a mobile device but retain enterprise control over all business and personal apps and access to cover and control more attack vectors.
Finally, organizations can require users that use their own personal devices to protect them with specialized security tools.
Mobile Security Tools and Approaches
What are the approaches to securing mobile devices? What means does the company have to ensure the security of smartphones and tablets? Is virtual desktop infrastructure (VDI) security justified on mobile devices?
One of the primary methods of mobile device protection is containerization. This mechanism helps to provide access to corporate data and services without affecting the privacy of a phone or tablet. The specific method involves segregating personal and corporate data by creating a logical container that compartmentalizes the personal and corporate data on the devices.
With containerization, you can use an encapsulated application that includes all the functions needed for an employee to perform their job duties. This approach fits well with BYOD initiatives.
Another option is to use a mobile device management (MDM) solution that wraps standard enterprise applications in a container.
However, even if you use an encrypted container, the mobile operating system still needs to be protected. To do this, there are mobile threat defense (MTD) systems that ensure that the operating system is secure and provide protection against all types of attacks. Such tools can be integrated with other defenses and, for example, instruct the MDM server to “close” the container if the phone is under attack or compromised.
Some developers of information security products offer multifunctional solutions that combine all or several means of protection.
There has been an increase in the popularity of unified endpoint management (UEM), which assumes the use of the same security solutions for both desktop and mobile devices. Such tools are easier and cheaper to maintain than highly specialized systems focused on a specific segment.
Another method of securing mobile devices is to turn them into thin clients. In this case, the need for specialized protections is also eliminated since security measures are applied to the virtualization environment.
When discussing vulnerability management and update management on mobile devices, there are additional strategies to consider:
- Refuse to use certain devices if a vulnerability or malware is detected at the OS and system utilities level.
- Understanding vulnerabilities at the hardware level.
- Block access to corporate resources unless current patches and operating system updates are installed.
- Practice a defense-in-depth approach and use additional security tools to address vulnerabilities not closed at the OS level.
The protection of corporate mobile devices requires slightly different approaches than the protection of desktop systems. While a company simply cannot fully control employees’ mobile devices, there are ways to securely integrate them into its business processes.