Smartphones and tablets can be invaluable tools in the workplace. They can also be tempting targets for cyber threats. Mobile attacks are on the rise, and outdated operating systems and misconfigured devices only exacerbate the issue. To protect your data, your users, and your organization’s digital integrity, you need a comprehensive mobile vulnerability management process. Once you familiarize yourself with common threats to smartphones and tablets, you can devise both preventative and reactive countermeasures.
Mobile vulnerabilities can be much more difficult to address than those that affect computers. Smartphones and tablets frequently connect to unsecured public networks. Messaging apps give threat actors immediate access to potential targets — and these apps often have minimal safeguards against malicious links. And since mobile devices are often personal devices, IT professionals have limited control over keeping operating systems and applications up to date. Mitigating vulnerabilities in mobile devices requires a proactive, flexible approach that accounts for the human factor.
What is the mobile vulnerability management process?
What is vulnerability management? The United States government’s Computer Security Resource Center defines a vulnerability as a “weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.” Vulnerability management is the process of discovering, analyzing, and mitigating these issues.
There are four main components in the vulnerability management process:
- Assess your risks: Make a comprehensive list of your organization's software and hardware. Research each asset's known vulnerabilities.
- Prioritize vulnerabilities: Evaluate how vital each asset is for your workflow. Cross-reference each piece of hardware or software with its known vulnerabilities. Decide which issues will require your immediate attention and which ones can wait.
- Remediate or mitigate threats: Address each vulnerability through patching, reconfiguration, access restriction, or similar means. If a vulnerability has no fix, consider whether the asset is worth the risk.
- Report and reassess: Determine whether the vulnerability still represents a threat. If so, move on to the next-highest priority. If not, attempt a different solution. Document your results for future reference.
Mobile vulnerability management requires all the same steps, but with some potential complications in the “mitigation” stage. Remember that 90% of U.S. adults own a smartphone, and there are hundreds of different smartphone models on the market. Even though there are only two major operating systems, iOS and Android, each OS has dozens of variants and version updates. Since most employees use their own mobile devices at work, IT managers must account for thousands of different vulnerabilities on devices they cannot directly manage.
Methods for managing mobile vulnerabilities
To secure mobile devices in a professional setting, you’ll need to identify vulnerabilities in Android and iOS, then develop mitigation strategies. Because mobile vulnerabilities affect so many different devices and OS versions, there’s no practical way to protect your staff against every single one. Instead, you should apply mobile-specific cybersecurity strategies, focusing your efforts on the devices and apps that your employees use the most. You should also pay attention to industry-specific regulations and have a plan in place for compromised accounts.
Implement mobile endpoint security
A comprehensive mobile endpoint security (MES) solution can go a long way toward addressing vulnerabilities. Mobile endpoint detection and response (EDR), acts as a buffer between an organization’s sensitive data and an employee’s smartphone or tablet. Workers install a lightweight app on their mobile devices, which analyzes thousands of data points and alerts them to potential threats in real-time. Mobile EDR can also flag these incidents for an IT team to review after the fact. While mobile EDR does not fix mobile vulnerabilities outright, it can help employees protect their own devices — or quarantine those devices if an attacker does gain control.
Prioritize vulnerabilities
At the time of writing, there are more than 7,000 Android vulnerabilities and more than 3,000 iOS vulnerabilities. Most have fixes, but not all. Some of them are for obscure devices and ancient OSes. Others affect some of the most common devices on the market. One exploit might be trivial for a remote attacker to pull off while another could require a convoluted workaround from a threat actor in close proximity.
In other words, mobile device vulnerability management will vary considerably from organization to organization. Prioritizing vulnerabilities is a way to manage your IT team’s time and resources effectively. If you provide mobile security software for your employees, you should be able to tell which devices, OSes, and specific apps they have. From there, use your best judgment to figure out how to mitigate the most common, serious, and easily patched threats before working your way down the list.
Comply with industry standards
Many organizations have to protect mobile data to comply with government and industry standards. For example, the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. protects sensitive healthcare data. Similarly, the General Data Protection Regulation (GDPR) in the European Union limits how much personal information third parties can collect.
While compliance and mobile vulnerability management are two distinct concepts, they can complement one another. Because they’re often less secure than computers, mobile devices provide a tempting target for threat actors seeking personal data. As a result, many mobile security solutions now emphasize compliance. Any solution that addresses compliance concerns should also minimize vulnerabilities as a rule.
Develop responsive strategies
There are at least 10,000 well-known mobile vulnerabilities, with researchers discovering new ones every month. That’s to say nothing of devastating zero-day vulnerabilities, which threat actors might exploit before a patch becomes available. As such, vulnerability management for mobile devices isn’t just about mitigation. It’s also about containment. Even with strong safeguards in place, an attacker could exploit a vulnerability and gain access to sensitive data. If that happens, a robust security service edge (SSE) solution can help identify unusual access patterns, quarantine compromised devices, and prevent the loss of sensitive data. Making frequent backups of your data in case of a ransomware attack is also a good idea.
Protect your organization’s data with mobile EDR
Safeguarding mobile devices is a key component in the vulnerability management process. A mobile EDR solution can address this issue from both employee and IT perspectives. Lookout Mobile Endpoint Security alerts workers to malicious apps and out-of-date software while allowing IT managers to research emerging threats and implement policies to protect sensitive data.
For more information on how mobile EDR can help manage vulnerabilities, read the Lookout e-book The Mobile EDR Playbook. In it, you’ll learn four questions to help you assess your current mobile data practices. You’ll also get concrete recommendations on how to address potential holes in your cybersecurity strategy.
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
The Mobile EDR Playbook: Key Questions for Protecting Your Data
Mobile devices reshape work, but also bring new risks. Are you safeguarding your people and data? Discover answers in our e-book—assess your mobile threat readiness now!
Explore resources by topic
Subscribe
Sign-up for the latest Lookout news and threat research
