Evaluating Mobile Security in a Mobile World

In November 2015, Tenable released the inaugural Global Cybersecurity Assurance Report Card, with research conducted by CyberEdge Group. The report tallied responses from more than 500 security professionals from six different countries and across seven industry verticals to assess the overall confidence levels of organizations in detecting and mitigating risk. The full report can be downloaded on our 2016 Global Cybersecurity Assurance Report Card page, and a high-level summary can be found on our blog. Earlier this year we broke down the report by industry vertical and also took a deep dive into the results for government organizations. Today, we’ll look at one pain point revealed by security practitioners in the report that affects nearly every country, government and industry — mobile device security.

A mobile world, a mobile workforce

Our phones have become an extension of ourselves. According to a new study by the Pew Research Center, 90% of US smartphone owners use their devices to get location-based directions or recommendations and 33% use their phones to watch streaming services such as Netflix or Hulu. The cellphone has also become a productive and convenient workplace tool. Employees can check email, access company data and search the Internet throughout their work day. However, as each new mobile device is brought onto the corporate network, the more vulnerable the organization becomes. In fact, MobileIron recently found that over 50% of enterprises have at least one non-compliant device (jailbroken, rooted, disabled PIN protection, lost device, out-of-date policies, etc.). The reality is that mobile phones aren’t going anywhere, so the question becomes, how prepared are organizations to effectively secure them?

The answer? Not as prepared as they’d like.

Mobile device scores

In terms of global risk assessment, IT security professionals across the globe graded mobile device security a startling 65%, or D and no country scored above Canada’s 79%, or C+.

IT security professionals across the globe graded mobile device security a startling 65% or D

Organizations were asked to report their ability to assess cybersecurity risks across 10 key IT infrastructure components, including cloud, datacenters, desktops, laptops, network perimeter, web applications and network infrastructure. Mobile devices ranked among the bottom three alongside cloud and cloud infrastructure. Although disturbing, it’s not surprising. These are rapidly evolving technologies.

While there’s not yet an industry standard, the need for improvement became apparent in our research when breaking down the results by industry. No sector ranked its ability to assess risk in mobile devices above a C. Education, Healthcare and Government came in at the bottom of the list, all scoring disheartening Fs. It’s particularly interesting to see Financial Services come in with an unimpressive 70%, or C-, especially as mobile banking becomes a new norm. If IT security practitioners in one of the most data breach-susceptible industries lack confidence in their ability to assess mobile device risk, how can industries with slower adoption rates keep pace?

All is not lost though. Organizations feel much more optimistic in their security investments.

Organizations feel they have the right tools in place to convey security assurance

Security Assurance refers to an organization’s ability to mitigate threats by investing in security infrastructure, i.e the security tools professionals use to keep their networks secure. It only makes sense then that one of the biggest challenges cited in the report was the ability to detect transient devices, earning a global score of 75%, or C. Canada again scored highest with a B, with the US coming in above average at 79% (C+). It’s interesting to note that in general, organizations feel they have the right tools in place to convey security assurance, but lack the confidence to properly assess the risks on their network. Perhaps it’s a resource issue. Our research revealed that IT teams are not only troubled by the sheer volume of threats but are also stretched thin when it comes to recruiting top talent. More than 66% of security professionals cited an overwhelming threat environment as the greatest challenge, followed by a sense of low security awareness among employees (67%) and a shortage of qualified workers (60%).

The ability to detect transient devices earned a global score of 75% or C

Setting confidence in risk assessment aside, Financial Services felt their ability to detect transient devices was strong, scoring an 84%, or B, as did the Telecom and Technology industry, giving themselves an 86% (B). Healthcare and Government, however, remained consistent in their lack of confidence in both risk assessment and security assurance, earning a D- and F, respectively.

The path forward

As mobile and cloud continue to revolutionize the industry, how can organizations secure employee devices, mitigate security risks and boost overall security assurance? One term comes to mind — visibility. While the industry continues to remain highly distributed and complex, it’s critical for organizations to lay the groundwork for a resilient security program by understanding what devices are on the network. You can’t secure what you can’t see, and it would be advantageous for organizations to invest in a comprehensive security solution that exposes those blind spots.

You can’t secure what you can’t see

The best way to secure unknown and shadow assets, such as the mobile device, is to adopt a cybersecurity strategy that gives you the continuous visibility and critical context necessary to take decisive action against incoming threats. If employees are using rogue cloud applications or transient devices, the IT security team needs to log and assess each device passing through the network. It is also imperative to update outdated legacy systems, as we’ve seen with last year’s OPM breach, and to stay up-to-date on industry trends and best practices.

More information

For more information on assessing and securing mobile devices, check out Tenable’s newly announced Unknown and Shadow Assets solution story. You can also check out the on-demand webinar about the Global Cybersecurity Assurance Report Card report findings for the US and Canada, EMEA, or APAC (but think twice about streaming it from your mobile while on the clock!). Be sure to stay tuned for the 2017 report in November 2016 for the newest data.