Consumer Apps: the New-Age Weapon
By Simon Biddiscombe
Mobile devices are critical to both our personal and professional lives, and hold more information than ever before. With the advent of cloud technology, modern work increasingly takes place in the cloud and on personal mobile devices, eroding the typical network perimeter and revealing countless new threat vectors.
The devices that employees take to the workplace aren’t isolated from other networks, they come with the various sets of applications that are installed on the device. According to App Annie’s State of Mobile in 2019 report (via PPC Land): "Consumers downloaded 194 billion apps in 2018, spent $101 billion in app stores, and averaged three hours per day on their mobile."
At the same time, mobile threats are evolving. According to Cisco, cybersecurity professionals rank mobile devices as the hardest enterprise asset to defend.
As Bring-Your-Own-Device (BYOD) and by extension, consumer applications, get increasingly popular in the modern workplace, the future of data breaches and cybercrime lies in mobile applications and operating systems.
For example, a messaging app recently ran into some trouble when hackers exploited a vulnerability and introduced Pegasus spyware into the app by simply calling the target. Once the spyware was deployed, the camera and mic of a user's phone could be turned on, personal and corporate emails and texts were exposed, and user location data was collected.
This scenario, while extreme, perfectly demonstrates how vulnerable mobile applications and devices are to cyberattacks and how a consumer application could potentially weaponize a device against an enterprise. That is why enterprises need to ensure mobile devices that have access to enterprise data are not vulnerable to rampant threats.
To keep up with the future of cyber-attacks, we need to rethink our security approach entirely. A mobile-centric zero trust approach can deal with the security issues that a modern enterprise faces while providing the agility that a modern organization needs. It provides the visibility and IT controls needed to secure, manage and monitor every device, user, application and network being used to access data.
A mobile-centric zero trust approach also provides on-device detection and remediation of threats. An additional security layer of threat intelligence detects suspicious or out-of-compliance applications, like the popular messaging application example above. If an application is suspicious or out of compliance, the IT department can notify, monitor, block, quarantine or completely retire the device, keeping company resources secure. This is critical as attackers increasingly target mobile devices and applications with sophisticated attacks.
It is quite straightforward to implement and successfully realize the benefits of a mobile-centric zero trust approach. Firstly, an organization has to equip users with a secure digital workplace space with all the apps they need, on the devices of their choice.
It then needs to ensure that it grants the user access to authorized corporate data based on full context, including protection for data at rest and in motion with encryption and threat monitoring. Lastly, it is vital to enforce security policies with ongoing monitoring to quarantine devices, alleviate threats and maintain compliance.
By being easy to implement and imperceptible to the end user, a mobile-centric zero trust approach bridges the gap between high security and low friction, which is essential to success. This is of utmost importance, given the expectation by consumers— and therefore employees — that technology will be easy to deploy and deliver a seamless experience.
The BYOD trend has blurred the line between personal and business productivity applications. However, if not properly secured, a consumer app can weaponize a device and bring down your entire enterprise.
To avoid this threat, organizations need to rethink their security strategy now, so that employees can fully utilize mobile and cloud technology to enhance their experience at work, without compromising on the integrity of the organization and its data.