This is the first article in a guest blog series by Jason Bloomberg, Managing Partner, Intellyx
Focusing on user authentication, including multi-factor authentication, is not enough to put mobile at the center of your cybersecurity strategy. It is essential to ensure the integrity of devices, applications, and communication channels, along with securing API access.
Digital transformation has been with us for over a decade now, and most enterprises have made significant progress toward achieving its customer-facing goals.
Realigning siloed organizational models to better meet the needs of customers, employees, and others is no easy task – and indeed, companies have achieved varying levels of success.
While digital transformation is more about such organizational change than technology, tech unquestionably plays an important enabling role. In particular, mobile applications are central to many organizations’ digital strategies.
Mobile-first thinking, in fact, now pervades discussions of digital transformation. Mobile devices are now ubiquitous, and mobile apps are both widely accepted and enormously powerful.
While such mobile-first digital strategies are the norm, mobile-first cybersecurity strategies are not. Instead, cybersecurity becomes more of an afterthought than an integral part of the digital strategy.
While it’s true that mobile apps are among the various endpoints that bad actors might use to breach the organization, but as endpoints, they are on the periphery of the cybersecurity strategy.
As a result, there is a strategic disconnect within most enterprises: mobile is at the center of their digital strategy but peripheral to their cybersecurity strategy. Shouldn’t mobile be at the center of their cybersecurity strategy as well?
Digital strategies are customer-focused. Since today’s customer typically interacts with organizations via mobile apps, it’s no surprise that digital strategies depend upon mobile-first technology strategies.
Here are five reasons why this logic should extend to cybersecurity strategies as well.
1. Organizations must understand how mobile-first impacts the organization’s threat surface. The threat surface reflects all the possible points of compromise a bad actor might use to penetrate an organization’s cybersecurity defenses. As endpoints, mobile apps are on this threat surface.
The apps themselves, however, are not the whole story. Also on the threat surface: the device itself, the channel (network connection), the security credentials on the device, and the services mobile apps might access via APIs. In other words, each mobile app puts at least five holes in the threat surface, not just one.
2. Every app is a front door to the back end. Organizational silos may hinder digital strategies, but they offer a measure of compartmentalization that affords some security protection—even though such protections inevitably focus on back-office services alone.
In a digital world, the mobile app connects directly to back-end services. In other words, every app is a front door to the back-end that bad actors are hoping to exploit.
3. The more digital an organization is, the more important putting mobile at the center of the cybersecurity strategy becomes. For some organizations, mobile apps are only one part of a diverse digital strategy. In other cases, the mobile app becomes the primary point of interaction between customers and the company – making mobile the central cybersecurity concern for the organization.
4. Bad actors control their own devices. You wouldn’t intentionally hand over a corporate laptop to a malicious hacker – but the same bad actors own their own devices. As a result, they have complete control over the device – its hardware, operating systems, and network functionality.
This control is intentional, as organizations want to afford customers the freedom to use any devices they like and empower them via their mobile apps. However, empowering customers means empowering the bad actors as well.
5. Self-protection is a digital priority. Organizations may not control users’ devices, but they can control their apps – as long as they don’t cede that control to bad actors. Yet existing mobile device management (MDM) technologies don’t work for consumer users and fall short even in the enterprise.
As a result, the necessary protection is most effective if it resides in the app itself. In other words, app self-protection becomes a digital as well as a security priority.
For all these reasons and more, it is essential for digital and cybersecurity strategies to align as organizations increasingly depend upon mobile apps. In fact, it makes even more sense to say that the digital and cybersecurity strategies should be two sides of the same coin.
Separating the two generally leads to a lack of attention to cybersecurity as digital priorities command the attention of corporate leadership – to the long-term detriment of the organization. Don’t let this mistake happen to you.
This article is the first in a four-part series focusing on aligning mobile cybersecurity with digital priorities.
Next up: a closer look at secrets. Not only do bad actors steal mobile app credentials, but we all depend on our smartphones to support two-factor authentication. How do we protect our secrets in a mobile world?
Third in the series: putting your eye on the device. Cybersecurity depends upon visibility, as bad actors seek to hide in the shadows. How should an organization go about establishing visibility at the device level?
Wrapping up the series: certificate pinning. Organizations use mobile apps to terminate TLS sessions as any endpoint does – but there are many hops between phone and back-end, and TLS is a point-to-point protocol, giving bad actors the ability to mount Man-in-the-Middle attacks. We’ll explore how certificate pinning is the solution.
By the end of the series, we’ll have laid out the roadblocks to putting mobile at the center of your digital strategy – and how vendors like Approov can overcome them.
Copyright © Intellyx LLC. Approov is an Intellyx customer. Intellyx retains final editorial control of this article. No AI was used to write this article.
*** This is a Security Bloggers Network syndicated blog from Approov Blog authored by Jason Bloomberg. Read the original post at: https://blog.approov.io/why-isnt-mobile-at-the-center-of-your-cybersecurity-strategy