Posted: 4 Min ReadProduct Insights

Taking Guesswork Out of Mobile Security

Lessons learned about how to deploy mobile security with peer-tested strategies that work

We live in a mobile-centric world, a fact that has not gone unnoticed by cyber criminals. In a classic application of the Willie Sutton approach, they continue to step up both the ferocity and the sophistication of their attacks because, simply put, mobile is increasingly where the money is nowadays.

Consider the following: The number of new mobile malware variants soared 54% last year, compared to 2016, according to Symantec’s recently-released Internet Threat Research Report. What’s more last year also witnessed an average of 24,000 malicious mobile applications that got blocked each day. And there’s no indication that there’ll be any letup in 2018.

That’s not going to derail what’s been a historic technology transition to mobile. At the same time, however, it underscores the extent of the challenge to security practitioners as the number of potentially vulnerable points of entry into their organizations increases exponentially each year.

Symantec recently surveyed customers who navigated this passage to get a better sense of what the process entails and what lessons it might offer to companies looking to put their own mobile security strategy in place.

When asked why they thought it was important to secure their mobile devices, more than 60% of the respondents mentioned the sensitivity of their data.

“This may seem very basic but if you go back a couple of years, many people were not as motivated about mobile,” said Symantec Mobile Security Specialist Brian Duckering. “We were still focused on traditional devices. But over time it has become pretty clear that mobile is a pretty big target for hackers and the people who want to infiltrate your companies and get to your data.”

More than 40% pointed to the ubiquity of mobile devices in people's lives as well as the range of threats they now must contend with.

“With mobile, [the devices] are always on,” Duckering noted. “Ask someone how long their mobile devices are turned off. They are always connected to the internet and it provides a huge target for malicious actors and hackers.”

Because people use their phones for both business and personal purposes, it opens up additional opportunities for attackers to deploy social engineering and other hacking techniques to try and infiltrate malware onto the devices.  

And it's not just malware. People are connecting to public networks when they are at home or traveling, logging into public Wi-Fi at coffee shops at airports. That offers attackers new ways to steal data by duping unsuspecting users with man-in-the middle techniques.

So what were the most important things to keep in mind when organizations started their mobile security journeys?

One was a need to prioritize assets to protect and not try to protect everything - the focus being on critical content

A need to take end-users into account.  User needs were paramount, and it was incumbent to listen to them. In the end, happy users drive high adoption rates

Lastly, productivity shouldn’t be impaired by the proposed solution. Don’t put demands on users that will drive them away. The process should be easy to deploy and use and should not result in a drain on device batteries

“This was a pleasant surprise because we figured people would talk about tactics and strategies of a company about how to protect information,” Duckering recalled.  

He said the results reflected a priority on making sure that users were productive and had can use their devices for work and personal uses - “and then make sure they are able to do that in a secure way.”

“You don't want to lock down everything,” he added, pointing to the growth of Shadow IT where users and departments go outside of normal corporate channels to procure products that they want.

“If it impedes their ability to do what they want to do, they will go around [the company] and it have a negative impact on security,” according to Duckering.

Lastly, when it came to figuring out the most important requirements of a mobile security solution, the top considerations in the survey results spoke to the need for comprehensiveness. Users simply do not want piecemeal solutions.

The results also underscored the importance attached to making sure any solution aligned with the organization's priorities. It had to be reliable but it also needed to receive the proverbial thumbs up when it came to user experience and usability.

Use Case: The Royal Bank of Canada

The Royal Bank of Canada has offices around the world and employs 25,000 people. The bank needed a mobile solution that provided both added security and also offered regulatory compliance. It also wanted a workable solution that users would embrace, not actively seek to circumnavigate, according to Brian Jacome, the Director of Applications and Controls at the bank.

“Being able to onboard users seamlessly with little or no manual intervention is a huge factor,” Jacome said. “We didn’t want calls coming into the help desk.”

When it came to figuring out the integuments of a successful mobile security plan, Jacome said organizations need to make sure they understand the priorities of the business as well as of the users.

Echoing the survey findings, he said planning must put a priority on users’ needs and ease of use. It may be easier in theory than in practice, but the goal ought to be a seamless integration to foster a low effort deployment and not require extra maintenance.

You can listen to what Jacome and Duckering discussed in fuller detail by tuning into a recent webinar they participated in by clicking here.

About the Author

Charles Cooper

Consulting Editor

Charles Cooper has covered technology and business for more than 25 years. He is now assisting Symantec with our blog writing and managing our editorial team.