Mobile devices have transformed the digital enterprise allowing employees to access the information they need to be most productive from virtually anywhere. Has that convenience come at a cost to enterprise security, though?
According to Forrester's The State of Enterprise Mobile Security: 2016 to 2017, by Chris Sherman, "Employees are going to continue to purchase and use whatever devices and apps they need to serve customers and be highly productive, whether or not these devices are company-sanctioned."
Additionally, the report found that S&R professionals will face complex challenges as a result of the different API interfaces and security profiles across devices. Sherman wrote, "Security teams must plan for years of increasing complexity by choosing technology solutions that simplify management and security workflows."
Scott Simkin, senior threat intelligence manager, at Palo Alto Networks, said that BYOD is a trend that we were talking about five years ago. "Bringing a personal device into the enterprise is not something new, but the masses have come to peace with the fact that employees--in order to achieve their objectives--are requiring it."
What that means for security practitioners is that the attack surface is massive. "It now has been multiplied by a factor of 100 or 1,000 by the sheer number of vulnerable applications and devices that the attacker is able to leverage," Simkin said.
In addition to bringing devices to the office, employees are also demanding that they have access to the network when not on premise. "They want access to resources whether it's Dropbox or other applications that allow them to get their corporate data," Simkin said.
There are myriad issues that challenge enterprise security whether it is the apps themselves or the user behavior of the folks who own and operate the mobile devices not keeping their operating system up to date.
"Thousands of applications developers are taking their great ideas and putting them into practice, but they are not thinking about building security into their application from the beginning," said Simkin.
Given that there are generally three ways for users to access applications, where they get their apps becomes incredibly important from a security perspective.
"They can go to the official app store or download it from a third party application site, or they can jailbreak or side load the application," Simkin said. "The official app stores do a good job of filtering out malware and threats, but those third party app stores are more of the Wild West."
A wider trend in the mobile threat landscape, according to Simkin, is that attackers are going after the application developers. "They are unknowingly infected with malware and then the application is infected and that is then passed on to users."