Mobile technology is a key enabler of modern-day digital transformation, as such, it is an essential component of a company’s technology stack. There are many important things to consider when implementing and managing mobile, such as:
- Remote working
- BYOD (bring-your-own-device)
- Zero trust
- Mobile apps
- Compliance mandates
The Office 365 suite is one of the most commonly used tools to help people work and collaborate across multiple devices. Whilst it is an incredible tool from the perspective of productivity and remote working, it has its flaws when it comes to security – just like any other app.
These two technologies form the backbone of remote work for many enterprises, therefore it is vital that the associated threats and risks are understood, as well as the most effective solutions to deal with them.
The Top Four Risks of Mobile Office 365
Like any technology, there are inherent security risks to using Office 365. Firstly, there are outsider threats or bad actors, like hackers, malware, etc. Secondly, insider threats, like malicious employees or everyday human error.
The underlying weaknesses or vulnerabilities that enable these threats can be classified under four main sources:
65% of devices will have some kind of vulnerability, like outdated or unpatched software.
One in five enterprise devices will connect to a suspicious or potentially malicious network that could intercept sensitive company data.
There are over 5 million apps on the official app stores alone, and companies have little control over what apps employees install and use.
Phishing is still one of the most prevalent attacks aimed at enterprise employees. Unfortunately, it’s often easier on mobile to pass illegitimate links or websites off as legitimate ones.
As an example of how pervasive and damaging these attacks can be, Revolut was recently hacked, exposing the data of over 50,000 customers. Many European leaders have also had their phones hacked recently, and Apple recently discovered major vulnerabilities in its iOS software.
In fact, in 2022 Apple patched nine zero-day vulnerabilities that were being actively exploited. As is usually the case, it is unknown how long or how widely the vulnerability was exploited before these patches were deployed. In some instances, the risk is so great that companies must take their entire fleet offline as soon as a vulnerability is discovered until it is resolved.
Mobile vulnerabilities and attacks are picking up, and this trend will likely continue as mobile becomes the status quo.
Mobile Device Management is Not a Security Solution
Many companies already have a Unified Endpoint Management (UEM) platform to help them deal with their ever-expanding mobile fleets and some hope they can rely on UEM to solve security challenges.
However, UEM solutions are not security platforms, they were never meant to, and are typically incapable of, dealing with the increasingly risk-laden mobile threat landscape.
Mobile Threat Defence - The Answer to Mobile Security?
Mobile Threat Defence (MTD) is designed specifically to address the security risks facing enterprise mobile devices and address all four of the main risk categories described above:
MTD continually scans and detects potential malicious activities, like OS exploitation, config changes, and other forms of tampering.
It can also scan networks to warn users if they are suspicious or reassure them that they’re secure. MTD can also identify or prevent common network-related threats, like man-in-the-middle attacks or rogue access points.
Maintains a record of malicious software or apps as well as analyses unknown apps for potentially malicious code.
Able to detect potential phishing attempts or suspicious links via email, SMS, QR codes, or IM services, like WhatsApp.
Analyse devices and their OS for potential or known vulnerabilities and the availability of security updates/patches.
Many of these capabilities are similar to what EPP (endpoint protection) or EPDR (endpoint defence and response) solutions provide, just with a focus on mobile ecosystems and their most prominent risk factors.
Cyber Essentials Plus - How Does it Affect Enterprises?
Cyber Essentials Plus was officially launched on 3 January 2022 and is one of the first security mandates that comprehensively deals with mobile devices. It applies to both enterprise-owned mobile devices as well as user-owned devices that access organisational data and services.
It looks at the problem of enterprise mobile security from two main angles:
- Malware Protection: One of the security mandates is that if a device has business data, all unknown apps must be sandboxed, or only whitelisted apps should be allowed. Failing both, the device needs some form of malware protection.
- Patch Management: If a vendor announces a serious security vulnerability and releases a patch, each affected device must be patched within 14 days.
Zimperium - A Leading MTD Solution Provider
Zimperium offers a total mobile security solution that covers the device, network, app, and phishing-associated risks. It also provides tools to analyse mobile apps and threats via malware classification, technical reports, etc.
Zimperium is based on the idea that mobile defence is more effective when deployed on the device. This enables it to deliver powerful capabilities, such as integration with Microsoft Intune for Zero Touch enrolment. Not to mention enabling secure BYOD through Microsoft App Protection Policies’ Conditional Access.
For example, zIPS can assess the risk level of the device and only give it access to Microsoft Office apps if it’s compliant.
Mobile will likely become the primary battleground where enterprises win or lose the ongoing security battle. While remote, signature-based systems may sound convenient, they often lack the in-depth visibility and control to secure devices on an individual level. Get in touch to find out how Zimperium and Mobliciti can help your business with their mobile device strategy.