Management of Mobile Device Risks

Mobile devices have proliferated since their introduction into the market. Their sizes have become smaller and their capabilities have increased, so cybersecurity professionals tasked with managing these devices for the workplace must be aware of the risks and consequences associated with these technologies.

Mobile devices use Wi-Fi, cellular networking, or other technologies that connect to the internet or other data networks. In addition, mobile devices use an operating system that is not a full-fledged desktop or laptop operating system, and often contain applications available through multiple methods—some that came with the device, some that were accessed through the web, and some acquired and installed from third parties (Souppaya & Scarfone, 2013). These factors provide security challenges to a cybersecurity professional.

The National Institute of Standards and Technology's Special Publication 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in the Enterprise, notes that since mobile devices are used outside the organization (homes, businesses, hotels), those devices are more likely to be lost or stolen, putting the data at increased risk (Souppaya & Scarfone, 2013). This is just one reason why cybersecurity managers need to create an environment in which workers will adhere to a strong password policy.

Another potential risk that must be addressed by cybersecurity managers involves use of untrusted networks by workers when accessing their company's mainframe. Since mobile devices primarily use nonorganizational networks for internet access, there is no control over the security of the external networks (Souppaya & Scarfone, 2013).

Communications systems, such as Wi-Fi and cellular networks, can be targets of eavesdroppers. Man-in-the-middle attacks may also be performed to intercept and modify communications (Souppaya & Scarfone, 2013).

Finally, since third-party applications on mobile devices are common, they pose subtle risks to organizations, which cannot easily monitor the apps on the devices. As NIST 800-124 Rev. 1 points out: "This poses obvious security risks, especially for mobile device platforms and application stores that do not place security restrictions or other limitations on third-party application publishing" (Souppaya & Scarfone, 2013). Cybersecurity managers should assume that third-party apps should not be trusted.

References

Souppaya, M., & Scarfone, K. (2013, June). Guidelines for managing the security of mobile devices in the enterprise: Special Publication 800-124, Revision 1. National Institute of Standards and Technology.  http://dx.doi.org/10.6028/NIST.SP.800-124r1