What is mobile security?

Mobile device security refers to being free from danger or risk of asset and data loss using mobile computers and communication hardware.

Why is mobile security important?

The future of computers and communication lies with mobile devices, such as laptops, tablets and smartphones with desktop-computer capabilities. Their size, operating systems, applications and processing power make them ideal to use from any place with an internet connection. And with the expansion of ruggedized devices, the Internet of Things (IoT) and operating systems, such as Chrome OS, macOS and Windows 10, every piece of hardware that's enhanced with this software and capabilities becomes a mobile computing device.

Because mobile devices have become more affordable and portable, organizations and users have preferred to buy and use them over desktop computers. And with ubiquitous wireless internet access, all varieties of mobile devices are becoming more vulnerable to attacks and data breaches.

Authentication and authorization via mobile devices are convenient, but it increases risk by removing a secured enterprise perimeter's constraints. For example, a smartphone's capabilities are enhanced by multi-touch screens, gyroscopes, accelerometers, GPS, microphones, multi-megapixel cameras and ports, allowing the attachment of more devices. These new capabilities change the way users authenticate and how authorization is provided locally to the device and the applications and services on a network. As a result, the new capabilities are also increasing the number of endpoints that need protection from cybersecurity threats.

Today, cybercriminals can hack into cars, baby monitors, security cameras and implanted healthcare devices. And by 2025, there could be more than 75 billion "things" connected to the Internet, including cameras, thermostats, door locks, smart TVs, health monitors, lightbulbs and many other devices.


Mobile security threats

While it's certainly critical to establish and enforce an enterprise-wide security policy, a policy alone isn't sufficient to counter the volume and variety of today's mobile threats. In 2019, Verizon conducted a study (PDF, 77 KB, link resides outside of ibm.com) with leading mobile security companies, including IBM, Lookout and Wandera, surveying 670 security professionals. The study found that 1 out of 3 of those surveyed reported a compromise involving a mobile device. 47% say remediation was "difficult and expensive," and 64% say they suffered downtime.

And companies embracing bring-your-own-device (BYOD) policies also open themselves to higher security risks. They give possibly unsecured devices access to corporate servers and sensitive databases, opening them to attack. Cybercriminals and fraudsters can exploit these vulnerabilities and cause harm or damage to the user and the organization. They seek trade secrets, insider information and unauthorized access to a secure network to find anything that could be profitable.

Phishing

The number one mobile security threat, phishing, is a scamming attempt to steal users' credentials or sensitive data like credit card numbers. Fraudsters send users emails or short message service (SMS) messages, commonly known as text messages, designed to look as though they're coming from a legitimate source, using fake hyperlinks.

Malware and ransomware

Mobile malware is undetected software, such as a malicious app or spyware, created to damage, disrupt or gain illegitimate access to a client, computer, server or computer network. Ransomware, a form of malware, threatens to destroy or withhold a victim's data or files unless a ransom is paid to unencrypt and restore access.

Cryptojacking

Cryptojacking, a form of malware, uses an organization's or individual's computing power without their knowledge to mine cryptocurrencies like Bitcoin or Ethereum, decreasing a device's processing abilities and effectiveness.

Unsecured wifi

Unsecured wifi hotspots without a virtual private network (VPN) makes mobile devices more vulnerable to cyberattack. Cybercriminals can intercept traffic and steal private information using methods like man-in-the-middle (MitM) attacks. They can also deceive users into connecting to rogue hotspots, making it easier to extract corporate or personal data.

Outdated operating systems

Older operating systems (OS) usually contain vulnerabilities that have been exploited by cybercriminals, and devices with outdated OSs remain vulnerable to attack. Manufacturer updates often include critical security patches to address vulnerabilities that may have an active exploit.

Excessive app permissions

Mobile apps have the power to compromise data privacy through excessive app permissions. App permissions determine an app's functionality and access to a user's device and features like its microphone and camera. Some apps are riskier than others. Some can be compromised, and sensitive data can be funneled through to untrustworthy third-parties.


How to secure mobile devices

The core security requirements remain the same for mobile devices as it does for non-mobile computers. In general terms, the requirements are to maintain and protect confidentiality, integrity, identity and non-repudiation.

However, today's mobile security trends create new challenges and opportunities, which require a redefinition of security for personal computing devices. For example, capabilities and expectations vary by device form factor (its shape and size), advances in security technologies, rapidly evolving threat tactics, and device interaction, such as touch, audio and video.

IT organizations and security teams need to reconsider how to achieve the security requirements in light of device capabilities, the mobile threat landscape and changing user expectations. In other words, they need to secure multiple vulnerabilities in the dynamic and massively growing mobile device environment. A secure mobile environment will offer protection in six primary ways: enterprise mobility management, email security, endpoint protection, VPN, secure gateways, and cloud access broker.

Enterprise mobility management

EMM is a collective set of tools and technologies that maintain and manage how mobile and handheld devices are used within an organization for routine business operations.

Email security

To protect data from email-based cyber threats such as malware, identity theft and phishing scams, organizations need to monitor email traffic proactively. Adequate email protection includes antivirus, antispam, image control and content control services.

Endpoint protection

With technologies like mobile, IoT and cloud, organizations connect new and different endpoints to their enterprise environment. Endpoint security includes antivirus protection, data loss prevention, endpoint encryption and endpoint security management.

VPN

A virtual private network (VPN) allows a company to securely extend its private intranet over a public network's existing framework, such as the Internet. With a VPN, a company can control network traffic while providing essential security features such as authentication and data privacy.

Secure gateways

A secure gateway is a protected network connection, connecting anything to anything. It enforces consistent internet security and compliance policies for all users regardless of location or device type used, and it keeps unauthorized traffic out of an organization's network.

Cloud access broker

A CASB is a policy enforcement point between users and cloud service providers (CSPs). It monitors cloud-related activity and applies security, compliance and governance rules around cloud-based resources use.


IBM Solutions

Mobile security solutions

Whether you support a single operating system type or have a mixed variety of devices, IBM mobile security offers the most secure, productive and intuitive solution on the market. IBM harnesses the power of AI technology to help you make rapid, better-informed decisions.

Enterprise mobility management (EMM)

EMM combines user, app and content management with robust data security to simplify how you manage your device environment. Get the right balance between user productivity and mobile security with IBM EMM solutions.

Mobile device management (MDM)

Get adequate visibility, manageability and security for running iOS, macOS, Android and Windows. And take advantage of seamless over-the-air (OTA) device enrollment for easy, rapid deployment.

Bring your own device (BYOD) security

When an employee can use their personal device, you empower them to do their best work in and out of the office. BYOD programs can have the added benefit of saving the budget by shifting hardware costs to the user. But employees need to know that you're protecting their personal use and privacy. Secure your remote workforce with IBM.

Unified endpoint management

Powered by AI and analytics and integrated with your existing IT infrastructure, IBM simplifies and accelerates the support of a diverse, complex endpoint and mobile environment. Simplify the management and security of smartphones, tablets, laptops, wearables and IoT.

Cloud security solutions

Integrating cloud into your existing enterprise security program is not just adding a few more controls or point solutions. It requires assessing your resources and business needs to develop a fresh approach to your culture and cloud security strategy. Move confidently to hybrid multicloud and integrate security into every phase of your cloud journey with IBM.