With remote work and BYOD (bring-your-own-device) policies becoming the norm, attack surfaces have grown exponentially. Organizational risk is no longer limited to the office. It has spread to the cloud, third parties, and employee devices.
Unfortunately, organizations aren’t doing much to ensure the risk to mobile devices is being mitigated. Verizon’s latest Mobile Security Index report indicates that successful compromises on company mobile devices went up 53% last year, compared to 30% in 2018. The report also says that 64% of companies believe they’re at a significant or extreme risk of mobile device threats.
Mobile device management (MDM) was once hailed as a panacea for corporate device protection. Unfortunately, this isn’t the case. The flaws of MDM are baked into the words themselves—MDM is a mobile device management tool, not a cybersecurity tool. The difference between the two is quite significant, as we’ll delineate below.
Furthermore, MDM isn’t ideal for BYOD devices, which leaves these devices, and the organizations using them, wide open to attacks.
Traditional MDM works as a last-mile line of defense, and it only does this once the compromise has already occurred. In those cases, MDM kicks in to contain the inciting element, or alert a security department of an issue, whether it’s malware or an unauthorized user.
However, even that is a best-case scenario. Most organizations struggle with MDM adoption because employees often bristle at the thought of downloading an app that will monitor and control their activities.
While any solution is better than none, few organizations understand why mobile device security is important enough to make it a priority.
Our connectedness and “always online” culture means employees are using mobile devices to do work much more often, even during off-hours. The statistics Verizon reveals about this are compelling:
A study by Gartner found that 40% of professionals working for large companies in the USA use their personal devices for at least some work purposes.
The increase in mobile-centric work means employee devices have access to company accounts, data, and files anytime and anywhere—including when employees are at home, at a coffee shop, or in an airport. In the latter two cases, they may be exposing themselves (and their companies) to critical risk. Accessing sensitive data or communication channels via public WiFi networks on unsecured networks creates the potential for bad actors to intercept or snoop on the activity.
Without visibility into these devices or remote device management capabilities, a company can’t catch threats until it’s too late. Just some of the things threat actors can do on a device include:
Cybercrooks know that mobile devices are an excellent way into an organization. Data from Q2 2024 detected more than 80,000 malicious apps on enterprise mobile devices and Kaspersky found a 50% increase in attacks on mobile devices in 2023 compared to the year before.
In one example, The U.S. Consumer Financial Protection Bureau (CFPB) completely banned its employees from using mobile phones for work after discovering a massive breach in the US telecommunications infrastructure. A hacking group called Salt Typhoon from China broke into Verizon and AT&T, which prompted fears of eavesdropping. The hack reportedly gave the hacker group access to call recordings of high-profile individuals, “including members of the Trump and Harris presidential campaigns.”
The Pegasus spyware has been found on devices belonging to EU politicians as part of a growing crisis where this spyware has been targeting members of the European Parliament. The malware has also been used to target business leaders, as discovered by mobile device security firm, iVerify.
In a tragically ironic case, Mobile Guardian, a UK-based mobile device management company, suffered a cyberattack on August 4, 2024, that resulted in approximately 13,000 iOS and ChromeOS devices being remotely wiped. This incident followed a previous security breach in April that exposed personal data from 127 Singaporean schools.
This risk to mobile devices affects both individuals and organizations, especially for high-value targets such as politicians and business leaders.
Mobile device security—especially for BYOD devices—falls under the umbrella of shadow IT. Users have full control of their devices, allowing them to install potentially dangerous apps or to access unsecured WiFi networks. Just the use of these devices without organizations knowing about them is a risk.
The Verizon Mobile Security Index report mentioned earlier says this about BYOD devices: “In reality, adopting a BYOD policy means making a concession: It’s the same as saying that some shadow IT is okay. If employees are allowed to use their personal devices at work, everyone in the organization is entrusted with responsibilities that once belonged only to the IT department.”
However, BYOD is essential and has become the new normal for many companies because the cost of buying and managing company devices for all employees can be prohibitively expensive. Companies often struggle to fight against a natural way of working, as well as employees who often don’t want to carry around two phones to get their work done.
The solution isn’t to complicate BYOD, but rather to improve security on BYOD devices.
While there are solutions and tools organizations have access to, it’s important to consider mobile device security holistically and prioritize principles that build resilience.
Improve your visibility. You can’t manage what you can’t see. Visibility is the most important aspect to address for mobile device security. Without real-time visibility into device status, app usage, and data access patterns, security teams cannot detect threats and take action effectively.
Assess your internal risk. Not all businesses face the same risk, just as not all device types face the same risk. For example, an iOS device won’t have the sideloading risk that Android devices do, and different Android devices have different levels of security. Even the type of work that’s done on a mobile device will inform the threat to your organization.
A proper risk assessment should incorporate:
The more accounts your employees can sign into on their devices, the higher the risk. Think of the communication, email, and cloud-based apps the devices are logged into.
After the assessment, you can then properly identify what you need regarding mobile device security.
Traditional MDM solutions typically require an “all-in” approach, where the company controls all aspects of the device. This is invasive for BYOD devices and introduces friction. Users naturally push back against this because it feels like it’s crossing a personal privacy line, which, in turn, can impede a solution from being implemented easily.
By opting in to MDM on a personal device, employees are surrendering much of the control of their devices to an employer. The employer might literally have the power to erase that device completely, including personal photos, files, or anything else that may have nothing whatever to do with work. That’s a big ask for any employee, no matter how good the pay.
For corporate devices, MDM offers only surface-level compliance. For example, users can’t turn off the firewall of provisioned devices. Unfortunately, traditional MDM offers little to no support for brute force or automated attacks, something at which traditional cybersecurity tools excel.
Most MDM solutions also offer little visibility into device health, providing only a minor set of metrics. IT admins must often write custom scripts to obtain more data from the device, which in itself can open the door to more security holes.
To address the limitations traditional MDM tools have, mobile MDR solutions have emerged.
Mobile MDR takes a different approach. It focuses on detecting anomalies related to malware and threat vectors, rather than monitoring everything the user is doing. Mobile MDR solves the main mobile problem businesses have, which is proactively protecting company data.
SolCyber has recently partnered with iVerify, a leading provider of mobile EDR solutions to provide a fully-managed mobile protection solution. iVerify uses a minimally intrusive technology to monitor mobile devices without compromising a user’s privacy. The solution works equally well with BYOD and company devices.
To learn more about how you can protect your mobile workforce, contact us today for a demo.
By subscribing you agree to our Privacy Policy and provide consent to receive updates from our company.
