Time for Operators to Act on Mobile Security

Written by

Mobility is often mentioned in the same sentence as cloud and Big Data as a “must have” enabler for the modern business, and it’s the one of the three that elicits the sharpest intake of breath from IT security teams.

According to the Symantec 2016 Internet Security Threat Report, Android users remain the main target, but Apple devices are vulnerable too; and it’s not going to get any better because cyber criminals are winning the war and mobile is an increasingly popular battleground. 

Should mobile operators play more of a role in security?

While IT has sophisticated tools to fight breaches, we all know there’s no such thing as 100 percent security, so security questions usually come back to the business balancing the risks against the benefits. The problem is that the scales have tipped too far the wrong way with mobile.

The time has come to rethink the model. As mobile solutions proliferate and enterprises spend more money on data tariffs, isn’t it time that Mobile Network Operators (MNOs) played a more proactive role? Consider the facts: MNOs are supplying a business service in the same way that Cisco enables corporate Wifi solutions – the difference is that Cisco facilitates security with authentication and authorization tools strong enough to protect and audit access.

Rightly or wrongly, MNO business models are often perceived as compounding the problem rather than solving it. Faster connections turn low-risk feature phones into little supercomputers. As quickly as point defense and network access controls can be inserted, MNOs provide faster connections to the internet where increasingly dangerous threats await.

Additionally, MNOs are often criticized as being slow to approve and push new mobile OS updates which leave devices vulnerable long after attacks have been publicly disclosed.

In fact, MNOs have the technical capability to manage every single packet of data traveling over their networks at a granular level, yet it appears they largely abstain from building security into their business service offerings. So what’s the solution?

Ask your Mobile operators to respond

Enterprise customers have more power to change this situation than they realize. Mobile operators will respond with new capabilities when pushed – look for RADIUS access to the mobile network in the same way, as it exists with your Wi-Fi. Insist that TCP and UDP handling policies are clear and, ideally, configurable. Demand better OS update regularity.  As an additional factor of network authentication, why not get the hardware device ID of every corporate smartphone and tablet in use? Services that do all this and more exist today. However, operators will only supply them when asked. 

Defend the perimeter

Firewalls and intrusion detection are the traditional way of locking down the enterprise perimeter, but it’s like the Maginot Line in World War 2, France’s defensive wall built on out-of-date defensive principles that a modern army simply drove around. You can nail down the laptops, desktops, and servers, but it’s of limited use if your employees are conducting most of their work with smartphones and tablets that are allowed into the building because the savvy companies embrace mobilization of the workforce. It’s clear; security needs to go where the data, is not just where the device is.

You can spend hundreds of thousands of dollars on security, but it’s almost entirely wasted if you don’t tackle security on mobile devices. MDM (Mobile Device Management) protects the physical device but does not solve the perimeter problem; it’s like putting a password controlled laptop on the open internet without any firewall or virus checker.

MDM tools provide a level of comfort, but all too often they mirror desktop security solutions and rely on processes that are ill equipped for the dynamic way that mobile devices are used.

Create competitive advantage with mobile security

Over the years, operators have spent a lot of time and money trying to reinvent themselves as content providers, social media hubs, and cloud service providers, yet not always successfully. The irony is that a unique and high-value business service is well within their grasp that would increase the adoption of mobile enterprise solutions, driving data traffic and swelling their coffers.

Maybe it’s time for security professionals and business leaders to put it up to their MNO and demand more. It’s inevitable that some innovative MNOs will choose to see delivering security as part of their service will offer them a competitive advantage in the market.

What’s hot on Infosecurity Magazine?