Staffs are becoming more mobile. And that's dangerous

Register now

While mobile devices have helped untether hundreds of millions of consumers from their homes and offices for communication and commerce, it's also given consumers a blissful but unwarranted sense of security about their privacy and the safety of data accessible through the mobile device.

Today, approximately 5.13 billion people — 66.53% of the world’s population — own mobile devices. More often than not these mobile devices have dual purposes in handling personal needs, such as making purchases or paying bills, and business mobility, like completing compliance workflows.

With mobile devices driving so many use cases, it’s no wonder that an active community of hackers has emerged focusing on mobile attacks to both consumer and enterprise data. According to RSA, fraud from mobile browsers and apps accounts for more than 71% of all illegal transactions.

While some people aren’t aware of the security issues associated with mobile devices, vulnerabilities are common in mobile applications. According to data collected by security firm FireEye, the JavaScript-Binding-Over-HTTP (JBOH) vulnerability, first reported in 2014, for example, could allow a coffee shop attacker to inject code into certain applications that affected 31% of popular Android applications. Additionally, an assessment of 61 different mobile apps by the application security firm Denim Group found that all had at least one critical vulnerability, with some having more than 10. In the attacks, the three main categories of software weaknesses Denim Group found were data leakage by the app, mistakes in implementing authentication, and database injection vulnerabilities on back-end servers supplying data to the mobile application.

Among devices deployed for use by enterprise workers, it’s widely known that Apple and Android devices incorporate native security to protect their devices from hackers. In addition, security vendors such as Okta and Ping and UEM vendors such as BlackBerry and Microsoft Intune, are well known for expertise in security. But that security is only as good as its last update. So if hackers are attacking apps for their data (much of it private and assumed by the device owner to be secure), you can be sure the attackers are trying to stay at least a step ahead of the available app security.

Despite the native security that device makers deliver, what goes unsaid is that device-stored data cannot be secured without encrypting it. The rub for device makers is that every upgrade of the app or the device OS requires the data be encrypted once again.

Clearly, enterprise device management is not working. In a recent enterprise mobility survey, 51% of workers polled reported experiencing at least one mobile issue per month that has hindered their ability to do their job. “Mobility is a business-critical asset across most enterprises today, yet this research clearly highlights that mobile device failures are high in volume, negatively impacting productivity, staff morale and costing businesses revenue,” said a sponsor of the survey.

While enterprise mobility flourishes, mobility and security staffers face a nightmare of growing proportions: enterprises face the prospect of regular and often frequent app updates, OS updates, new apps and increases in the numbers of devices accessing the corporate network. The number of combinations and permutations is staggering. And with every such update, apps must be “re-secured.”

The only known, practical solution to date is no-code mobile security integration, which automates the process entirely, reducing it from multiple weeks to a few minutes.

Organizations equipping staff for mobility must face facts: Application security must become a priority — not just features, convenience and speed.

Data security is frequently named as a top inhibitor of mobile payment adoption. If there’s a lesson to be learned, it’s that apps are regularly released before they are security-hardened, and that app and OS updates (which require re-securing the apps) are a fact of life. That’s a sobering state of affairs. In a 2018 survey, the share of merchants who earn more than half of their total revenue in the mobile channel grew from just 2% in 2013 to 17% at the time of the survey.

In the same survey, nearly one-third of merchants surveyed said they believe the mobile channel will represent at least half of their total revenue by 2020. It’s not yet time to panic, but it’s time to worry. Better yet, it’s time to take action.

For reprint and licensing requests for this article, click here.
Risk Payment fraud Mobile payments ISO and agent