Security and privacy strategies for CISOs in a mobile-first world

In an interview with Help Net Security, Jim Dolce, CEO of Lookout, discusses securing mobile devices to limit threat escalation in the cloud. It emphasizes that organizations must change their approach to data security, recognizing the complexity that mobile access to corporate data in the cloud introduces.

Dolce also highlights the need for AI-based automation and a defense-in-depth strategy to effectively protect sensitive information.

Mobile threats can penetrate the cloud. How can organizations reduce the risk of misconfiguration and human error?

First, there needs to be a shift in thinking when it comes to data security and acknowledge that the threat landscape has become much more complex, with most sensitive corporate data now residing in the cloud rather than in dedicated private data centers, multiple servers, networking equipment and devices storage. At the same time, organizational workers are also changing the way they access and interact with data in an increasing number of cloud-based applications.

And the human factor complicates every dimension. Today’s workforce is characterized by a desire for flexibility, with users wanting to work from anywhere, on any device, and share information freely. Attackers can count on people to make mistakes when using mobile devices, and since no one is perfect, a small human error can lead to the possibility of a data breach at a large enterprise. On the IT side, misconfiguration of cloud infrastructure due to human error or a lack of understanding where data resides can also put a company’s applications and data at risk.

Recognizing these factors, threat actors have begun to evolve their tactics, techniques and procedures (TTPs), reflecting a marked shift away from traditional malware or vulnerability-based attacks. For example, we are now seeing an increasing number of bad actors targeting mobile device users using social engineering attacks to steal credentials and impersonate users. Once an attacker has these legitimate login credentials, they can quickly gain access to critical corporate infrastructure and extract sensitive data in minutes, not months. This is what we describe as the modern cyber kill chain.

This brings us to the second part, which is recognizing that traditional strategies and legacy technologies cannot address or protect against new TTPs. Device management alone doesn’t provide real-time analytics, which means you won’t know an active attack is taking place until it’s too late. Traditional phishing training focuses solely on emails and what can be detected on a traditional endpoint such as a laptop.

In today’s threat landscape, it is almost impossible to rely on human reflexes and manual processes to mitigate these new threats. Instead, organizations need to consider adopting a defense-in-depth approach to their security strategy – one that provides continuous visibility into what is happening with their mobile devices and the ability to detect and respond with AI-powered automation to protect sensitive data in cloud environment, regardless of where it is located.

How can organizations ensure visibility and protection against data exfiltration when data is distributed across multiple applications and cloud repositories?

There are two main aspects to this issue. First, organizations require complete and continuous visibility into what data resides in various environments, whether they are cloud services, private applications or Internet destinations, and how users access company data and they use them. Second, organizations should have the tools to enforce policies based on these insights so they can respond quickly if someone intercepts their data in the cloud.

To ensure visibility and protection against data breaches, organizations must adopt a truly data-centric approach to managing data security and risk – an approach that aims to maximize visibility, access and control simultaneously. This starts with visibility into where breaches began, namely mobile devices and social engineering attacks. However, it also requires a cloud-based data loss prevention (DLP) solution that detects and classifies data across the organization and then protects it as it flows to various applications, websites and endpoints.

What are the most important best practices that organizations should implement to secure mobile devices as remote work evolves?

The challenge with remote working and the increase in mobile device use is that the line between home and work is blurring, meaning any personal risk will have an impact on the business.

With this in mind, organizations should enforce multi-factor authentication among employees on all devices. This will prevent some account takeovers and reduce the access time for an attacker if they do get into it. Another good practice is to regularly update and patch devices, including unmanaged and personal devices. The final piece is to make sure your training is modernized. Attacks now focus solely on mobile devices, so the focus cannot be solely on traditional endpoints and preventive measures.

How important is it to have consistent security policies across all devices and platforms, and what challenges do organizations face in achieving this consistency?

Enforcing consistent security policies across all devices and platforms is critical. This helps reduce risk by ensuring that all devices meet the same security standard and also reduces exploitable vulnerabilities. It also helps alleviate resource issues by streamlining operations, enabling IT and security teams to more effectively respond to incidents and adhere to regulatory compliance.

Of course, this is much easier said than done. Legacy technologies and strategies rely on specialized tools that don’t necessarily work well together. To overcome these challenges, organizations must strategically select tools. This means viewing requirements from a top-down perspective and implementing solutions that work together no matter where or how data is accessed or used.

How can CISOs balance user security and privacy in the context of BYOD and enterprise mobile devices?

Too often, privacy and security are seen as opposite ends of a spectrum. But they don’t have to. While implementing security controls on employer-owned devices is a no-brainer, the increasing overlap between personal and professional devices means organizations must consider how to secure employee-owned devices used at work.

As the line between private and professional life has become very blurred, if someone within an organization has their personal device compromised, it could mean that their company data could also be exposed. Therefore, to maintain both privacy and data security, organizations need a mobile security strategy that covers all end-user devices – including personal devices.

Monitoring the protection of iOS, Android and ChromeOS devices can be particularly challenging, so organizations should consider leveraging AI and machine learning to strike the right balance. Deploying a big data solution can enable organizations to effectively detect and respond to threats without the resource-intensive and invasive scanning of traditional endpoint security.

Ultimately, it really depends on how you approach it. Older solutions are very intrusive, which makes it difficult to talk about security in the context of BYOD. With this in mind, it is important for CISOs to look under the hood of their security tools and understand how they are approaching privacy and security in parallel in the context of an evolving workforce.