michelangelus - Fotolia
From beginning mobile app development to protecting end users, IT pros need to understand, address and educate on security threats to mobile devices.
Regarding mobile security, end users know not to click on questionable content. But beyond that, they are typically left in the dark. Although mobile devices can be at as much risk as PCs, people feel they are safer. As a result, IT pros need to work to secure mobile devices from any angle where there could be a threat.
What to know during app development
The best way to handle security threats to mobile devices is to prevent them from happening altogether. By integrating security measures into app development, IT pros can protect their app and organization from risking stolen information. If developers integrate security measures later, it can disrupt the app's performance.
Developers should research already-known security threats to mobile devices. For example, developers should be aware of issues with the OSes and technology the apps will use, such as software libraries, virtual private networks (VPNs) or APIs.
Developers should look to incorporate secure authentication and authorization methods into an app, including multifactor authentication (MFA). To further protect data in a mobile app, developers should encrypt data and ensure an app doesn't store data on the device when possible. When apps and servers send sensitive data back and forth or to the cloud, IT pros should include a Secure Sockets Layer, Transport Layer Security protocol and a way to validate security certificates.
Teach users about security threats to mobile devices
Administrators need to teach users to prevent security threats to mobile devices. It's not enough for users to simply avoid opening email attachments from unknown sources. When devices connect to insecure Wi-Fi, it opens them up to attack. Users should connect to Wi-Fi via a VPN to prevent insecure data transmissions. Tools like Tasker or Android for Work can connect devices to a VPN automatically.
Effectively communicating the resources available to end users will make administrators' jobs easier. IT should inform users about the company's BYOD policies and how to share and store files securely. Users need to know what they are required to have on their devices, such as a password, and what will happen if they break policies. An enterprise file-sharing or cloud storage platform can securely enable employees to work from anywhere.
How to take control of mobile security
Although it's important to educate users whenever possible, administrators should always deal with security measures firsthand.
IT knows passwords -- even the strong ones -- are not always effective against security threats to mobile devices. Password best practices are not always practical for users, such as using unique passwords for every account and frequently changing them. Administrators must implement MFA, single sign-on (SSO) or federated identities to manage password risks. MFA creates more gates to prevent password breaches, while SSO or federated identities make it easier for end users to manage their identification information.
To avoid malware and phishing attacks, IT should push updates to devices and prevent users from installing apps from unverified third parties that could mine the device's data. Malware protection methods traditionally used software to detect known threats before correcting or deleting infected files. This method alone isn't enough to keep mobile devices secure because it relies on threat definitions that cannot adapt to new threats without updates.
Phishing attacks, on the other hand, enable a single end user to compromise the security of a system by tricking users into giving their authentication information. To prevent phishing attacks, admins can use technology such as Sender Policy Framework, DomainKeys Identified Mail records, spam email filters and endpoint protection.
Mobile threat detection, unified endpoint management (UEM) and microvirtualization take system defense further. Mobile threat detection can spot security threats to mobile devices or vulnerabilities based on system changes and metrics by monitoring OSes, APIs and network traffic. UEM enables administrators to block malicious apps and enforce security policies. Some UEM services can also initiate responses to detected malware. Microvirtualization abstracts apps from hardware to prevent threats from affecting entire systems.