The risks of mobile devices are well-documented. For example, we’ve previously written about how traditional mobile security falls short and how iOS devices aren’t breach-proof.
Mobile risks aren’t just personal risks. Mobile device compromises can lead to corporate data breaches, intercepted business communications, and compromised third parties. Research carried out by Imprivata discovered that only 40% of company devices can be easily accessed by IT teams in cases of breaches, leaving 60% vulnerable. Even worse, 55% of respondents didn’t believe they could effectively protect sensitive data on lost devices.
Mobile Device Management (MDM) has traditionally been touted as the solution to prevent such catastrophes. Unfortunately, MDM was never intended to be an all-encompassing mobile device security solution. It was developed as a management solution, primarily to ensure compliance and provide basic security controls for employer-owned mobile devices.
Initially, MDM solutions were simple tools focused on basic device provisioning and inventory management so companies could catalog their devices. BlackBerry Enterprise Server (BES) was one of the first comprehensive MDM platforms, allowing businesses to manage their BlackBerry devices. MDM solutions then expanded to include the new mobile devices on the market, specifically Android and iOS.
Unfortunately, the threat landscape has surpassed the capabilities of MDM solutions. The Apple iPhone was a game changer, followed by Android, both of which have created a digital revolution. Each of these devices represents a powerful computer in your pocket—a computer with access to company data and secrets.
Hackers are aware of this and have invested a lot of time developing exploits and finding ways to compromise mobile devices.
Unfortunately, organizations too often think MDM is the best (or only) solution available to mitigate risk. In reality, MDM isn’t enough, and a large part of that is due to implementation problems. Several challenges exist in implementing MDM effectively, impacting how well it can actually protect an organization. Here are the top three challenges companies face:
MDM has failed to keep up with new working practices. MDM solutions were designed for corporate devices, but many companies now follow a BYOD (“Bring Your Own Device”) policy.
MDM requires employees to download an app that provides 24/7 monitoring. Installing that app is overly invasive and effectively gives a company control of employees’ personal devices, an action they would naturally resist.
While this can be effective for employer-owned devices, implementing MDM for BYOD devices often becomes a struggle between management and employees. However, security leaders need to find a way to secure BYOD devices, and a low MDM adoption actively combats that.
This problem grows larger as BYOD adoption grows. In the United States, 82% of businesses use a BYOD policy, with almost 50% insisting on employees using their own devices. BYOD results in $341 in savings per employee, so the incentive to use BYOD is high.
However, if employees use their own devices, no guarantee exists that they will utilize the MDM solution the company provides.
Whereas security leaders can enforce MDM on employer-owned devices, they can’t on BYOD. Since BYOD is becoming the norm at most organizations, this poses a massive problem. Companies need a non-invasive solution that employees want to install.
The inability to enforce MDM results in mixed adoption, which means the security department has less visibility into devices. Even a 5% lack of visibility into devices interacting with networks and assets can lead to massive security breaches. An organization is only as strong as its weakest link, and weak links are abundant amongst unsecured or unmanaged devices.
Mobile devices have the additional problem of being carried everywhere. Unlike business desktop computers that sit behind locked doors at night, we carry our mobile devices everywhere, so human error can easily lead to a lost device that results in stolen data.
The 5% visibility gap is made bigger in direct proportion to the number of users who have BYOD devices. Huge swaths of devices could engage in risky behavior without the company’s security department even knowing about it. That makes MDM less than effective.
The factors of employee satisfaction and trust also enter here. Low metrics on these fronts increase the risk of insider threats and retribution for perceived grievances.
Enforcing invasive MDM policies can cause employees to feel disgruntled or grow less satisfied with the employer. Similarly, employees who are already dissatisfied might refuse to comply with the request to implement MDM on their devices purely to open the employer to risk.
Invasive MDM policies can exacerbate employee dissatisfaction that manifests as resistance to security measures. If employees perceive these policies as privacy violations, they might retaliate by refusing to install MDM on their devices and generally bristle or resist other security policies.
This non-compliance directly undermines business objectives. In employees’ eyes, it also turns the security department into an organizational adversary rather than a partner. The security team’s effectiveness becomes compromised as their initiatives face growing internal opposition. This adversarial relationship can ultimately lead to increased company costs because security measures become less effective despite increased enforcement efforts. The counterproductive cycle ultimately weakens the organization’s overall security posture.
From the ground up, MDM wasn’t built to provide mobile security, so it has failed to keep up with the immense security needs of these devices. It shouldn’t be considered a comprehensive solution for mobile security risks. Even if all employees did implement it without resistance, MDM solutions have limitations that leave large security gaps.
Given the modern threat landscape, a device must be able to detect anomalies alongside signature-based threats. However, most MDM solutions are limited in their detection abilities, often working best when a compromise already occurs.
For example, MDM solutions lack proactive capabilities to identify threats like EDR and MDR solutions do.
An MDM’s incident response functionality—if it has one—is often reactive rather than preventive. MDM offers no support for active threat hunting.
Security leaders looking to properly address mobile risks should seriously consider implementing Mobile EDR solutions as part of their security architecture.
Mobile EDR solutions offer significantly more effective protection against modern mobile threats. These tools work earlier in the attack chain, identifying and neutralizing threats before they can fully execute. They accomplish this while being considerably less invasive than traditional MDM implementations, which helps maintain employee satisfaction and compliance.
When security incidents do occur, Mobile EDR solutions can substantially reduce the damage by containing compromises quickly and providing better visibility into the attack.
Rather than relying solely on MDM for mobile security, organizations should recognize it as just one component in a broader security strategy. For organizations seeking more information about comprehensive mobile security approaches, SolCyber offers resources and expertise in implementing effective mobile protection strategies.
Photo by William Hook on Unsplash
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
