As mobile use grows, so does the need for proactive security strategies. But to be successful, businesses need an approach to mobile security that weighs the risks against larger business goals. This means taking a holistic look at end user productivity and budget concerns as well as security risks.
The best place to start with this process is with a mobile security assessment. Not only can a comprehensive mobile security assessment evaluate your current mobile security environment, it can also provide additional strategies, such as the use of International (ISO 27001), the NIST (National Institute of Standards and Technology) Cybersecurity Framework and related security standards, and other best practices to create more rigorous, efficient and cost-effective mobile security protocols for your organization.
Streamlining the Third-Party Risk Assessment Process
One area that’s historically been a challenge for organizations’ mobile security is assessing third-party risk. Frequently, this process has been inconsistent, resource-intensive and slow for all parties involved. However, by using customer requests, and emerging tools from several groups, organizations can streamline and standardize the evaluation process.
One set of tools comes from Shared Assessments to allow companies to use evaluation and questionnaire criteria that meets industry security standards to assess third-party risk. Because of the common methodology for Shared Assessments, the results of an assessment can be shared — both speeding up and simplifying the process of demonstrating compliance to multiple organizations. This can also reduce the resources required to implement and evaluate third-party risk, saving organizations time and money while ensuring that best practices and industry standards are applied to the process.
Standardizing on Security
Another way to help determine the appropriate security measures for mobile devices is by using cybersecurity standards developed by the National Institute of Standards and Technology (NIST). NIST security standards were developed by and for the federal government to address cybersecurity, and the recent government investment in cybersecurity has led the government to do more auditing of government contracts — checking that companies with government information and contracts are actually meeting their obligations to meet NIST standards like FISMA, NIST 800-53, FIPS 199, NIST 800-171 and FedRAMP). Additionally, enterprises are increasingly using these standards to guide their own security strategies and protocols, and the NIST standards are often considered to represent a good base for security practices.
Known as the Cybersecurity Framework, this tool is now used by a wide variety of public and private companies. In fact, according to Gartner, the framework is now used by 30 percent of U.S. organizations and is projected to reach 50 percent by 2020.
While developed for overall cybersecurity, the framework can be applied to mobile security as well. The framework’s central ideas — to identify, protect, detect, respond and recover — offer organizations a foundation to evaluate cybersecurity risk and develop steps to manage it.
Enabling Secure Mobility
Even when applying standardized frameworks such as Shared Assessments and NIST’s Cybersecurity Framework, getting the most productivity possible from mobile devices while limiting security risks is always a balancing act. Therefore, it’s important to start your security assessment from the perspective of what your organization wants to achieve, especially regarding apps on its mobile platform.
Bringing in outside experts who can conduct an in-depth mobile security assessment is often the best path forward to ensure balance. Mobile security experts can help organizations better understand their mobile vulnerabilities, prioritize security investments and mature their mobile security programs in line with larger business goals.
Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.