Mobile applications are flooding the device marketplace and users are downloading them for infotainment, as well as personal and work related access to resources. In order to leverage this mobile wave, organizations are jumping on the bandwagon to get products and services out to market quickly. In everyone's great haste to get applications into App Stores it seems that security controls have fallen by the wayside. A Gartner post from September 15,2014 states that by 2015 a staggering 75% of mobile applications will fail the most basic security tests. See original post.
Risks introduced through mobile usage include:
Social engineering/user behavior
Spam...to name just a few!
In the midst of all this madness what should an organization do to ensure that it provides its employees and consumers the best possible mobile experience while at the same time managing the substantially increased risk to its brand IP and organizational data? Here are some suggestions:
1. Start with developing a mobile security strategy that considers the different target audiences - consumers, other business and employees. If required develop three different strategies for the three different categories.
2. Within each category define application risk levels based on target audience and content.
3. Develop guidelines and standards for application development enforced through static and dynamic vulnerability scanning prior to deployment. Develop processes and controls for application testing and deployment.
4. Implement strong authentication and authorization mechanisms that can be raised or lowered depending on risks posed by geo location, device, and type of transaction.
5. Implement monitoring, keeping in mind that analytics are mandatory to sift through the vast amount of audit information that will typically be collected.
6. And last but not least have an organization wide incident management plan to address situations which can occur despite all the governance and controls that are in place.
Its all pretty new and there are plenty of products that claim to solve the problem, however a holistic solution that begins with a strategy, incorporates people, processes and technology and most importantly allows for rapid changes as devices evolve and hackers get more sophisticated, has the greatest probability of success.