Security and privacy strategies for CISOs in a mobile-first world

In this Help Net Security interview, Jim Dolce, CEO at Lookout, discusses securing mobile devices to mitigate escalating cloud threats. He emphasizes that organizations must shift their approach to data security, acknowledging the complexities introduced by mobile access to cloud-based corporate data.

Dolce also highlights the need for AI-driven automation and a defense-in-depth strategy to protect sensitive information effectively.

Mobile threats can escalate to the cloud. How can organizations mitigate the risks associated with misconfigurations and human errors?

First, there needs to be a shift in thinking when it comes to data security and an acknowledgment that the threat landscape has become much more complex with the majority of sensitive corporate data now residing in the cloud rather than in dedicated private data centers, multiple servers, network equipment, and storage devices. At the same time, an organization’s employees are also changing how they access and interact with that data across an expanding array of cloud-based apps.

And the human factor complicates every dimension. The modern workforce is characterized by the desire for flexibility, with users who want to work from anywhere on any device and share information freely. Attackers can count on people making mistakes when using their mobile devices, and because nobody’s perfect, a small human error can lead to a big enterprise data breach opportunity. On the IT side, misconfiguration of the cloud infrastructure due to human error or lack of understanding of where data lives can also expose a company’s apps and data.

Recognizing these factors, threat actors have begun to evolve their tactics, techniques and procedures (TTPs), reflecting a distinct shift away from traditional malware or vulnerability-based attacks. For example, we’re now seeing an increasing number of bad actors targeting mobile device users with social engineering attacks designed to steal credentials and impersonate users. Once the attacker gets their hands on those legitimate logins, they can quickly enter critical corporate infrastructure and exfiltrate sensitive data within minutes rather than months. This is what we describe as the modern cyber kill chain.

This brings us to the second part, which is to recognize that traditional strategies and legacy technologies cannot address and protect against these new TTPs. Device management alone doesn’t have real-time insights, which means you won’t know an active attack is even happening until it’s too late. And traditional phishing training only focuses on emails and what you can detect on a traditional endpoint such as a laptop.

Within today’s threat landscape, it’s nearly impossible to rely on human reflexes and manual processes to mitigate these new risks. Instead, organizations must think about adopting a defense-in-depth approach to their security strategy – one that provides continuous insights into what’s happening to their mobile devices, and an ability to detect and respond with AI-driven automation to protect sensitive data in the cloud no matter where it goes.

With data spread across numerous apps and cloud repositories, how can organizations ensure visibility and protection against data exfiltration?

There are two main aspects to this. First, organizations require total and continuous visibility into what data they have across those different environments, whether they’re cloud services, private apps, or web destinations, and how users are accessing and interacting with corporate data. Second, organizations should have the tools to enforce policies based on those insights so they can react quickly should there be a bad actor going after their data in the cloud.

To ensure visibility and protection against data exfiltration, organizations need to take a true data-centric approach to security and data risk management — an approach that is designed to maximize visibility, access, and control all at once. It starts with insights into where breaches began, namely mobile devices and social engineering attacks. But it also requires a cloud-based data loss prevention (DLP) solution to detect and classify data across the organization, and then protect the data as it flows to different apps, websites, and endpoints.

With the rise of remote work, what critical best practices should organizations implement to secure mobile devices?

The challenge with remote work and the rise of mobile device usage is that the line between personal and professional have blurred, which means any personal risks will affect the enterprise.

With that in mind, organizations should enforce multi-factor authentication across all devices for employees. This will prevent certain account takeovers and shorten the time that an attacker does have access if they do get in. Another best practice is to regularly update and patch devices, including unmanaged and personal devices, the last piece is to make sure that your training is modernized. Attacks are now squarely focused on mobile devices, so you can’t just focus your training on traditional endpoints and preventative measures.

How important is it to have consistent security policies across all devices and platforms, and what challenges do organizations face in achieving this consistency?

Enforcing consistent security policies across all devices and platforms is critical. This helps mitigate risks by ensuring that all devices follow the same security standard and it reduces exploitable security gaps. It also helps alleviate resourcing issues by streamlining operations, ensuring that IT and security teams can more effectively respond to incidents and adhere to regulatory compliance.

Of course, this is much easier said than done. Legacy technologies and strategies rely on specialized tools that don’t necessarily play well with each other. To overcome these challenges, organizations must be strategic in how they’re selecting their tools. This means reviewing requirements from a top-down perspective and implementing solutions that work together no matter where or how data is being accessed or utilized.

How can CISOs balance security and user privacy in the context of BYOD and corporate mobile devices?

Far too often, privacy and security are viewed as opposite ends of a spectrum. But they don’t have to be. While putting security controls on employer-owned devices is a no-brainer, the increasing overlap of personal with professional means that organizations need to think about how to secure employee-owned devices that are being used for work.

Because the line between personal and professional has become so blurred, if one of an organization’s employees is breached from their personal device, it means their corporate data may also be exposed. That’s why, to maintain both privacy and data security, organizations need a mobile security strategy that covers all end-user devices — including personal devices.

Protection monitoring for iOS, Android, and ChromeOS devices can be a particular challenge, which is why organizations should consider using AI and machine learning to strike the right balance. Implementing a big-data solution can allow organizations to efficiently detect and respond to threats without requiring the resource-intensive and intrusive scanning of traditional endpoint security.

At the end of the day, this all really comes down to how you approach it. Legacy solutions are very intrusive, making it difficult to talk about security in the context of BYOD. With this in mind, it’s important for CISOs to look under the hood of their security tools and understand how they approach privacy and security in parallel within the context of the evolving workforce.