MY TAKE: Most companies blissfully ignorant of rising attacks on most-used endpoint: mobile devices

By Byron V. Acohido

A dozen years after Apple launched the first iPhone, igniting the smartphone market, the Bring Your Own Device to work phenomenon is alive and well.

Related: Stopping mobile device exploits.

The security issues posed by BYOD are as complex and difficult to address as ever. Meanwhile, the pressure for companies to proactively address mobile security is mounting from two quarters.

On one hand, regulators are ahead of the curve on this one; they’ve begun mandating that companies  account for data losses, including breaches in which mobile devices come into play. And on the other hand, cyber criminals are hustling to take full advantage of the corporate world’s comparatively slow response to a fast-rising threat.

Metrics are piling up showing just how pervasive mobile threats have become. Some  33 percent of companies participating in Verizon’s Mobile Security Index 2019 survey admitted to having suffered a compromise involving a mobile device —  and the majority of those affected said that the impact was major.

Verizon’s poll also found that 67 percent of organizations were less confident of the security of mobile devices, as compared to other IT assets. And all of this is unfolding as employees continue to increasingly use both company-issued phones, and their personally-owned devices, to access sensitive data and conduct business.

“The reality is users don’t care whether it’s a corporate-owned device or a BYOD, and neither do the attackers” said J.T. Keating, vice president of product strategy at Zimperium, a Dallas, TX-based supplier of mobile security systems. “Our phones are completely blended, in terms of access to corporate data and personal data.”

I had a lively discussion with Keating at RSA 2019. For a drill down on the full interview, give a listen to the accompanying podcast. Here are a few key takeaways.

Endpoint is an endpoint

That queasy feeling senior execs have about the murkiness of mobile security is well founded, based on the results of a simple experiment Zimperium conducted at the Mobile World Conference (MWC) in Barcelona last February, and repeated at RSA 2019 in San Francisco.

Zimperium paid special attention to forensic data from actual users of its  zIPS mobile intrusion prevention app; it made it a point to analyze mobile device traffic to devices using zIPS at each conference. Zimperium detected more than 7,000 mobile threats in less than four days at MWC; and more that 17,000 threats in that same amount of time at RSA.


Reliance on smartphones in the enterprise space has skyrocketed in recent years, but it comes at a price. Zimperium estimates that some 60 percent of enterprise endpoints are mobile devices. In most companies, this means that 60 percent of endpoints accessing the enterprise have no visibility on them, making them ripe targets, Keating told me.

Security teams have been slow to address mobile security, but it is inevitable now. After all, if employees have moved tasks like email from desktops to mobile devices, security has to act. However, there is another pressing issue for security teams, said Keating, and that’s compliance.

“If you have patient data sitting on a tablet, it’s no different than you have patient data sitting on a traditional endpoint,” explained Keating. If you have a HIPAA requirement to secure data on one type of endpoint, you have to meet that same HIPAA requirement for all endpoints. “An endpoint is an endpoint is an endpoint.”

Viable threats

All too many organizations still don’t see it that way. This is reflected in the tens of billions of dollars spent on protecting traditional on-premise endpoints, such as laptops and desktop PCs, even as employees are using their unprotected smartphones and tablets as go-to endpoints much of the time. The exposure should be obvious.

Yet, many in leadership still continue to question just how substantive mobile threats really are, Keating said. This skepticism derives from lack of visibility; if you can’t see the threats, you don’t realize they are there, he said.

Make no mistake, the threats are there. They include malicious apps, mobile phishing, network attacks, and device compromise. One big challenge is figuring out the best approaches to mitigate a wide array of attacks targeting mobile device users.

It’s easy to buy into the idea that you only have to worry about one or two of the known threats, and you’re covered. For instance, an app security provider might provide a tool only for malicious apps, and that can lull you into thinking that’s the only threat to worry about.

Most malicious apps, for instance, are spread as widely as possible, and are not part of a campaign to target specific companies. A spear phishing attack or a device compromise attack, however, very well might be, said Keating.

Integrated defense

Also, apps can be risky without being malicious. Many apps in the App Store or Google Play may not be malicious, but they are asking for sensitive phone data, such as geo-location, and then transmitting that unencrypted data back to the app publisher unencrypted. This could be part of targeted intelligence gathering, or, at minimum, it could lead to wider exposure of sensitive data – which could ultimately end up in the hands of a threat actor who decides to target your organization.

For enterprises pushing out apps and depending on mobile devices, integrating with a well-rounded mobile device management (MDM) provider can help manage all of those implementations. Zimperium, for example, has partnered with MobileIron, to improve threat detection and remediation.

Using Zimperium’s detection engine with the MobileIron agent, as soon as someone needs protection, affords 100 percent coverage. From a provisioning standpoint, integrating with an MDM allows for immediate and improved protection.

“We’ve seen a technology curve,” said Keating. “Something starts as a technology, then it becomes a product, and finally it becomes a solution. We’re now at the solution stage.”

The solution stage should look like this: it should be capable of integrated security in any cloud platform, rather than force people to use certain formats; and it should support an organization’s workflow, giving security and mobility teams what they need.

It’s encouraging to see security innovation advancing in the mobile space. Talk more soon.


Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(Last Watchdog’s Sue Poremba contributing.)


Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone