How to Apply the NIST Framework to Your Mobile Security Strategy

If mobile devices aren’t a high priority in your security posture, they should be. About two-thirds of employers consider smartphones “critical to agility and speed of decision-making,” and some would even consider phasing out PCs entirely. As a starting point, consider using the National Institute of Standards and Technology (NIST) cybersecurity framework.

This set of guidelines from the U.S. government provides simple, actionable steps to improve your digital security practices for both computers and mobile devices. While the advice is optimized for small and medium-sized businesses, NIST says that any organization can use the framework to “better understand, assess, prioritize, and communicate their cybersecurity efforts.”

The NIST framework is a voluntary set of standards and proposes general recommendations rather than industry-specific practices. Even so, the list is a helpful starting point for strengthening mobile security. By following the NIST suggestions, you can manage mobile threats, protect employee devices, and safeguard your organization’s sensitive online data. 

‍

What is the NIST framework?

Why is NIST important? Before discussing NIST mobile security specifically, it’s worth covering what the agency does more generally. NIST, which is part of the U.S. Department of Commerce, exists to establish measurement protocols for engineering and physical sciences. The agency, formerly called the Bureau of Standards, dates back to 1901. However, the U.S. government’s ability to “fix the Standard of Weights and Measures” is actually written into the Constitution.

The NIST cybersecurity framework originated in 2014, and provides a set of best practices for both private and public organizations. Following the guidelines is completely voluntary, as NIST doesn’t actually audit organizations to ensure compliance. However, the framework provides an excellent foundation for a robust cybersecurity strategy, organized into five steps:

• Identify all the software and hardware you use.
• Protect your data through software, encryption, and employee training.
• Detect unauthorized access.
• Respond to potential breaches.
• Recover after an attacker has compromised your network.

In the latest version of the NIST framework, there is also a sixth function: “Govern.” However, this is less of a discrete step and more of a holistic outlook. The Govern guideline suggests that organizations learn the importance of cybersecurity and assign someone to take charge of it. None of the other processes can happen without this one.

While the official NIST Cybersecurity Framework (CSF) 2.0 document only mentions mobile security once, in 2023, the agency released NIST 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise, which provides guidance for implementing robust mobile security.

To comply with these standards, start by consulting the official NIST CSF 2.0 website. From there, you can refer to the agency’s quick start guides, including resources for both small businesses and enterprise-level organizations.

‍

5 functions of the NIST cybersecurity framework

To help you implement better mobile security based on the NIST framework, we’ve compiled a NIST mobile application security checklist. These are the five steps of the NIST cybersecurity framework, optimized for smartphones and tablets.

Identify

During the “Identify” stage, organizations must take a complete inventory of the hardware and software they use. This process is the same for mobile devices as it is for desktops and laptops.

Find out every type of smartphone and tablet that your employees use, as well as the operating system and version of each one. This will most likely include both company-issued and bring-your-own-device (BYOD) hardware. From there, determine which apps are present on each device. Once you have a complete list, do some research to determine whether any piece of hardware or software has known vulnerabilities.

Remember that your vendors and other third-party contractors may also have access to some of your data. Be sure to include them in your analysis.

Protect

The most practical step in the NIST framework is the “Protect” stage. This is where IT managers must monitor who logs into their network, encrypt their organization’s sensitive files, back up data on a regular basis, and update all relevant software and firmware. However, with hundreds of different cybersecurity and cloud service providers, this is also the most open-ended step. Thorough research into the various options on offer can pay dividends here.

Still, dealing with technology represents only half of the protection phase. The other half is employee training. Your staff should be able to recognize common threats to mobile devices, such as phishing, malicious websites, and weak passwords. NIST also recommends that employees activate multi-factor authentication (MFA), particularly for their email and banking accounts.

Detect

The “Detect” stage is where your IT department can find unauthorized users, either in real-time or after the fact. In theory, the only people who access your network via mobile devices should be organizational employees using their own login information. In practice, threat actors can get hold of usernames and passwords via social engineering, credential stuffing, and similar underhanded methods.

One potential countermeasure is mobile threat intelligence. Using artificial intelligence (AI) and machine learning (ML), a mobile threat intelligence platform will keep you informed about the latest mobile threats. It can also help protect your organization against the latest cybercrime groups and APTs.

Respond

Hopefully, your organization will never need to deal with a successful cyber attack. However, over the past few years, some of the most influential and best-protected tech companies on Earth have fallen victim to data breaches. Part of developing a responsible cybersecurity strategy is having a plan for the worst-case scenario.

This is the “Respond” step in the NIST framework. The agency recommends that, in the event of a data breach, you notify your customers, vendors, and employees as soon as possible. You should also figure out a way to contain the damage so that your organization can remain operational while you recover. NIST also suggests that you decide in advance which staff members will field queries from customers, law enforcement, and media representatives.

Recover

The final step in the NIST cybersecurity framework is to “Recover.” Following any kind of data breach, your organization should be able to determine what went wrong, which files were compromised, and how to mitigate further attacks. NIST also recommends that you communicate with both stakeholders and employees to tell them what went wrong and how you plan to prevent similar incidents in the future.

Ideally, your organization will never be in this position. However, having a plan in place can help you respond more effectively if and when things do go wrong.

‍

Make mobile EDR part of your cybersecurity strategy

Following the NIST framework guidelines requires a proactive cybersecurity strategy for computers and mobile devices alike. One way to keep your organization’s smartphones and tablets secure is with mobile endpoint detection and response (EDR) from Lookout. This technology can empower employees by helping them recognize phishing attempts and malicious websites. It can also alert IT managers to common mobile threats and known threat actors.

For more information on mobile security, read the Lookout e-book The Mobile EDR Playbook. In it, you’ll learn four questions that can help evaluate your current cybersecurity posture, particularly where it concerns smartphones and tablets. By securing your staff’s mobile devices, you can help protect your organization’s most sensitive data.