Earlier this week Gartner held a free webinar with the topic of 'Failure Proof' Mobile Security, during which analyst John Girard covered key security practices for enterprises tackling mobility, along with an immediate action plan for CISOs to build a mobile security strategy. The presentation launched saying "Mobile is the Rule, Not the Exception." Many enterprises are struggling to keep up with the mobile behaviour of their employees despite proof points showing support for these behaviours leads to positive organizational change, increased productivity, and overall business growth. Security has been a major barrier to adoption for enterprises tackling mobile and has become a leading topic of conversation among IT leaders.
Here are Gartner's key implementations for successful mobile security:
Keep all your systems patched and up to date — This was the number one priority and while it may seem obvious, user education is lacking. Gartner stated that 90% of exposed vulnerabilities are related to patches that have been available for more than a year. This means that security loopholes are discovered, fixes are released, yet users still sit vulnerable for at least 12 months. This is certainly a quick and easy way to improve security!
Anticipate and minimize complexity when possible — While Gartner was referring specifically to device fragmentation and the support issues it causes, the multitude of complexity found across systems, policies, and development can also create security risks. Reducing complexity will empower teams to focus on the high value problems, which ultimately increases innovation.
Prioritize interesting mobile security challenges — 78% of security help desk costs relate back to BYOD and OS / patching issues, meaning that as a way to reduce about 80% of costs and energy of support teams, these should be a first point of attack when implementing mobile security controls. A recommended way to discover the priorities was to go through a Pareto analysis.
Don't ignore BYOD! — Even if you do not intend to support BYOD, policies should still be put in place. 50% of users bring their own devices and connect them to corporate networks withouttheir employer's knowledge, leading to gaping security holes. Since this is happening regardless of policy, make sure to add multiple security layers to protect against vulnerabilities.
Conduct periodic mobile security self-assessments — Explore how to handle people, processes and IT when security could be impacted. Assessments will define policies, processes and security organizations, and ultimately lead to user awareness.
Set common security policies for all company and personal mobile devices — these policies include PIN codes, "No Jailbreaking" policies, offering identity certificates by invitation only, disconnecting users who install unsecure apps, and various other cross-organizational security policies. At a minimum, you'll tighten up a lot of security vulnerabilities that stem from human error and lack of formal training.
Wrapping up the session was actionable advice to be acted upon immediately. First, take an inventory of the successful and failed mobile security initiatives across your organization. Then, quantify the costs of poor mobile security. This exercise will act as a catalyst for creating change moving forward.
Within the first 90 days post initial assessment, train operations and security staff to gather requirements from users to inform security policies and decisions. Additionally, prioritize mobile security investment plans based on user's wants and needs, as this will be key to successful program adoption.
Over the next 12 months, establish a Mobile Center of Excellence (COE) that includes user representation. COE's are collections of people, processes, tools and expertise that will work across an organization and provide guidance and execution on all things mobile. We've talked about thisin the past, and will have more information available over the next several months that will help you build the foundation of your COE.
If you'd like further information on the leading mobile security threats and how you can best protect against data breaches, check our our whitepaper!