.webp)
The typical workplace of the information age is no longer an office cubicle with a desktop PC. It’s an airplane seat, a comfy cafe chair, and a kitchen table — and it may not even have a company-issued device at its center.
Research shows the productivity gains made possible by the growth of bring-your-own-device (BYOD) policies. Yet empowering employees to do their best work wherever they are and with whatever devices they have at their disposal also comes with risks.
Risk-based vulnerability management with a focus on mobile devices is the best way to enable those productivity gains without sacrificing the security of your organization and its data. You already know the importance of defending against phishing attacks and other common aspects of modern breaches. Here’s how to add a mobile risk management model to your defenses.
What is risk-based vulnerability management for mobile devices?
Risk-based vulnerability management means using the potential exposure, or risk, a given vulnerability poses to your organization to determine how you’ll address it. Before we get into the specifics of what that means for mobile devices, let’s quickly define our terms:
- A vulnerability is a part of your organization or its infrastructure that could be exploited to misuse your assets. This could be a dangerous app that allows for remote code execution, or it could be an employee who hasn’t completed your anti-phishing education program and doesn’t know how to identify social engineering attempts.
- A threat is something that exploits that vulnerability. It could be a hacker trying to find a way into your systems to install ransomware, or it could be an employee who doesn’t realize the data they’re sharing with a client over their personal email account isn’t secure.
- A risk ensues when a threat exploits a vulnerability. Assessing the relative severity level, or even a potential monetary impact, of that risk requires a data-driven approach to vulnerability management.
Given the many potential threats modern organizations face to their endpoints across the cloud, this kind of practical and data-backed approach to vulnerability management is essential. And since a substantial number of those endpoints are likely to be mobile devices, proactive organizations must prioritize mobile risk assessment.
How do you identify and respond to risks across your mobile infrastructure? The answer depends on where those devices come from.
Corporate-owned devices
Though the practice of company phones has dipped in popularity, these devices still have some substantial security advantages over BYOD policies. Namely, they allow the comprehensive use of mobile device management (MDM). If employees know that their devices are monitored for cybersecurity compliance, and if they only have access to certain whitelisted applications or sites, their potential vulnerabilities are significantly reduced. Yet threats are inevitable even with MDM since mobile devices often operate outside your security perimeter.
All mobile devices, including BYOD
Not every organization has the resources to supply and manage company phones or tablets. Even if such devices are provided, employees may not always have access to them when and where they need to work. BYOD policies let employees use personal smartphones and other devices to get their work done. While BYOD is a boon for productivity, the massive increase in potential vulnerabilities that it entails requires a holistic approach to mobile endpoint security.
Building your mobile application risk management checklist
Now that we’ve established what risk vulnerability management can look like for different kinds of mobile devices, it’s time to start planning how to use it. Each organization’s cybersecurity needs will differ depending on how many people it employs, how they access their accounts and data, and many more concerns. Since there’s no such thing as one-size-fits-all security, here are five steps to take to arrive at the right answers for your organization.
1. Determine your risk tolerance
Before you can decide how aggressive to make your risk-based vulnerability management model, you must decide what constitutes a risk you need to address. The industry-standard Common Vulnerability Scoring System can offer some helpful guidance here.
Clamping down for a “zero-tolerance” approach may sound like the logical way to keep your data safe. Yet employees who feel aggressive security measures limit their ability to do their jobs — via a deeply restricted app list, for instance, or a constant, time-wasting need to re-enter their login credentials — may try to sidestep those measures. If successful, they could open up new vulnerabilities your IT team is unprepared to monitor and protect.
2. Learn how to identify risky apps and sites
Some risky or even downright dangerous apps are obvious — especially when they require sideloading or jailbreaking to install. Others may open up vulnerabilities in more subtle ways, such as through overly broad permissions that allow unintended access to sensitive data. Unfortunately, so many apps and online tools are available for so many different purposes that it could be difficult for even the most proactive IT department to track them.
That’s one of the reasons it can be helpful to work with a cybersecurity partner like Lookout: our threat database is the largest in the world, with over 300 million apps scanned and documented for potential vulnerabilities.
3. Draft your mobile risk management policy
With the groundwork laid, it’s time to lay out a formal mobile risk management policy for your organization. Working with an experienced partner can make a big difference here, but it’s worth remembering that providing any amount of guidance and consistency is better than leaving potential issues unaddressed.
Don’t feel as if you need to cover every detail and get everything exactly right the first time. This process is about minimizing risks overall rather than crafting a specific policy for each potential issue. You should plan to revisit and revise your approach to mobile app risk management on a regular basis.
4. Educate your team
No cybersecurity policy can be effective if it’s only enforced from the top down. To keep your infrastructure and data secure, you must ensure buy-in from across your organization. That starts with education.
Use a mix of informative messages, meetings, and reference materials to let employees know the important role they play in your organization’s cybersecurity posture. Lay out what steps they can take to do their part. Ensure these materials and instructions are readily available, regularly updated, and included in both onboarding and refresher training.
Empower your risk-based vulnerability management with mobile EDR
To combat risks across your mobile endpoints, you need to mediate vulnerabilities and identify threats. That can be a complex task, particularly for organizations with BYOD policies that encompass a range of hardware, OS versions, and app installs. A mobile endpoint detection and response (EDR) solution can identify risky apps and malicious sites, and it can even help identify social engineering attempts and block attacks from known threat actors.
Find out more ways EDR may be an asset to your organization in The Mobile EDR Playbook: Key Questions for Protecting Your Data.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
The Mobile EDR Playbook: Key Questions for Protecting Your Data
Mobile devices reshape work, but also bring new risks. Are you safeguarding your people and data? Discover answers in our e-book—assess your mobile threat readiness now!
Explore resources by topic
Subscribe
Sign-up for the latest Lookout news and threat research
