Making Your Case
The growth of SaaS and Cloud computing means the case for mobile endpoint security is clear
As a CISO, Security Architect, Risk Manager or Security Analyst, it’s your job to identify the best way to mitigate information security risk within your organization. Sometimes this will involve implementing a technical solution to protect against a new or growing threat. You will have come to this decision after examining the range of alternative approaches to addressing the threat and, in the case of a technical solution, having assessed multiple vendor offerings.
But for many, this is the easy part. It’s essentially a technical issue, a question of diligence and expertise, likely conducted with peers who share your deep understanding and engagement with cybersecurity risks and technologies and the tradeoffs involved in any such decision. Now the time comes to bring your proposal to the upper management, perhaps the executive team or the Board. Now you need to articulate in terms that the non-technical will understand why your organization needs to spend time, money and resources on the project, aka – make the business case.
What then is the business case for investing in mobile endpoint security?
Why we need a mobile endpoint security solution now
The first question you must answer is, ‘Why now ?’ In other words, what has changed in the information security environment that makes it urgent to implement mobile endpoint security today? After all, employees have been using smartphones since the advent of the iPhone.
The reason why mobile endpoint security is a business priority today is straightforward. The move to cloud means that mobile users now have access to the same business systems that are available on traditional laptops and desktops. In the past, laptops and desktops had access to a much wider range of applications because they were joined to the corporate network either directly or through a VPN. Today that distinction is disappearing: all devices access cloud or SaaS applications on the same basis.
This gives us our first argument for the need for mobile endpoint security:
“More and more of our business applications will be accessible directly from our employees’ phones and tablets:
– We are now using the Microsoft 365 suite, including Outlook, Teams, OneDrive, Word and Excel, all of which are accessible from employee mobiles.
– In the last two years, the organization has adopted a wide range of SaaS applications.
– We expect that the number of SaaS applications used by the business will continue to increase.”
Parity of protection
Your senior management is very aware that the organization has a range of security solutions in place to protect traditional endpoints. What they may not appreciate is that these solutions do not operate in the mobile environment. Web content is not filtered, mobile phishing messages are not blocked, and phones are not scanned for malware infection.
This leads us to the second argument in support of mobile endpoint security – parity of protection:
“While we have an endpoint security solution deployed on desktops and laptops, we don’t have an equivalent protection on employee mobile devices. This means we have no protection against malicious content, phishing over sms and other messaging applications, and mobile malware.“
Mobile Devices are not invulnerable
85% of mobile phishing attacks are outside email. SMS, WhatsApp, and other messaging, social and collaboration platforms are all being targeted with increasingly sophisticated phishing attacks.
Based on data from the hundreds of organizations using Corrata, we know that most employees receive a mobile phishing message at least once a month. We also know that one in five devices have poor security configuration, making them susceptible to malware infection. And one third, access websites with weak encryption leaving employees exposed to data loss. Nothing in your mobile device management system addresses these threats.
This leads us to the third argument in support of mobile endpoint security – heightened risk:
“There are a range of risks which are not addressed by the built-in security on iOS and Android or by our mobile device management system. These include:
– Targeted phishing attacks sent directly to mobiles over SMS, Whatsapp, Slack and other messaging and collaboration platforms.
– Attacks which bypass our multi-factor authentication by stealing authentication cookies. A successful attack would allow unauthorized access to our business systems over a prolonged period.
– Malicious software which allows attackers to read messages and other content sent to and from our employees’ phones.
– Poor encryption of data in transit leading to unauthorized disclosure of company and customer information sent to and from mobile devices.
– Non-compliance with acceptable use policy which restricts access to inappropriate content
– Failure to keep phone software up-to-date and other poor security configurations.”
How mobile endpoint security helps
You’ve made a strong set of arguments for the need to do something about the mobile security gap. You now need to introduce the solution. This means explaining what a mobile endpoint security solution will do. In doing this, it’s important to remember that your audience will assume it’s like the endpoint security solution with which they’re familiar – this might be a traditional anti-virus solution or a more modern EDR solution. Mobile endpoint security incorporates virus scanning and malware detection and response but also next-generation firewall, web-filtering, and anti-phishing features:
“The mobile endpoint security solution we’re proposing will protect us by doing the following:
- Blocking links to phishing sites, malware download sites, sites which are contrary to our acceptable use policy, and other malicious sites. It provides the equivalent of the web filtering we currently have on our desktops and laptops.
- Detecting any malware present on a device. Any device with malware installed is automatically prevented from accessing our business applications. This is equivalent to the [anti-virus, endpoint protection, or endpoint detection and response] software on our laptops and desktops.
- Preventing any data being sent to or from our phones without proper encryption. This ensures that our data cannot be snooped on by bad actors monitoring WiFi or other networks. This is equivalent to the protection provided by using a VPN.
- Assigning a security score to each device. Employees are prompted to keep their devices up to date, to remove any risky applications, and to correct any poor configurations. Devices with low scores can be automatically prevented from accessing business applications. This is equivalent to features provided by our endpoint protection software on laptops and desktops.”
No negative impact on employees
Having convinced your executive team of the need for a solution and the practical protections it will deliver, your final step is to address two common objections. The first relates to employee acceptance. Your senior managers will be only too aware that employees don’t like being surveilled. They also love their phones and don’t want anything interfering with the smooth functions of their devices. So it is important to be able to reassure your executives that the solution respects employee privacy and does so in a transparent and easy-to-communicate manner.
This means a solution that doesn’t track location, scan images or other content, read messages, or record browsing history.
You should also be able to offer the reassurance that your chosen solution runs unobtrusively in the background without impacting the normal operation of the device. Employees are only required to interact with the app in the rare case that their manual intervention is required to resolve a security issue.
Easy to deploy and needs little ongoing management
The second concern will be around the impact on the, undoubtedly stretched, security operations team. The good news is that mobile endpoint security focuses on preventing attacks: blocking phishing and malware download sites, preventing unencrypted communications, and disabling malware. Alerts and escalation requirements are generally minimal, and mature solutions will integrate with your existing security operations stack.
The final clincher: quick and easy to deploy (and hence no upfront professional services costs), a single all-inclusive annual fee with no hidden extras.
In conclusion: you should approach your senior management with confidence. Mobile Endpoint Security is a cost-effective, easy to deploy and manage technology which addresses a gap in your defences which, unless addressed, will only get larger.
Best of luck!