PARTNER CONTENT: We live in a mobile-centric world. Around two decades ago, our devices were clunky, monolithic handsets useful for little more than voice calls and texting. Today’s smartphones are high-powered microcomputers millions of times more powerful than the machines that first put humankind on the moon. That’s some journey. And it’s not over yet.
By the end of 2022, over 5.4 billion people globally subscribed to a mobile service, including 4.4 billion who also used the mobile internet. Smartphones are our gateway to entertainment, travel, banking, healthcare, social interaction and much more. They also keep us productive in and away from the office, by connecting to the corporate network and a myriad of cloud-based business applications.
But where there is money to be made and users to exploit, cyber-criminals won’t be far behind. They know that our devices are often less well protected than laptops and desktops, and that we use them impulsively. They also know that smartphones and tablets can be a trove of sensitive logins and a gateway to corporate data, apps and networks. One vendor detected a 51% increase in mobile malware variants between 2021 and 2022.
Against this backdrop, consumers, telcos and enterprise IT managers need a more effective way to mitigate cyber risk on devices. But in the enterprise space at least, no single vendor has yet been able to combine the value of mobile device management (MDM), enterprise mobility management (EMM) and mobile threat defence (MTD). That is about to change.
Consumers and enterprises in the crosshairs
Consumers and businesses face many of the same mobile security challenges. In fact, often we use the same device in our personal and professional lives – known as BYOD. The problem with this is while many of us run security software on our home PC, we may be less inclined to do so on our smartphone. That exposes these devices to a myriad of threats including malicious applications, kernel and OS exploits and phishing.
The latter is particularly prevalent. Since 2021, mobile phishing encounter rates have increased around 10% for enterprise devices and over 20% for personal devices, according to one study. This isn’t just about scam emails: voice phishing (vishing), SMS phishing (smishing) and QR code phishing (quishing) increased seven-fold in Q2 2022.
In fact, the attack surface of a typical mobile environment is even bigger than this. Public Wi-Fi can expose consumer and business users to additional threats like man-in-the-middle (MITM) attacks and rogue access points. In rarer cases, threat actors may even build rogue base stations to lure unsuspecting users.
And to what end are these varied tactics, techniques and procedures (TTPs) put? In the consumer sphere, the end goal is to harvest app credentials, particularly banking and crypto logins, to sell on the dark web and/or commit identity fraud. Cyber-criminals may want to lock devices down with ransomware in order to extract a fee, or monetise attacks in another way, such as installing adware or enrolling the device in premium-rate services.
When it comes to enterprise threats, hackers are usually looking to steal corporate credentials to reach sensitive business data stored in SaaS apps or on the corporate network. Or they may want to install spyware on the device of a high-profile user. Data theft, ransomware and extortion are an ever-present risk. A Verizon report published in 2022 found that 45% of organizations had recently experienced a mobile-related compromise in which they lost data or suffered downtime—almost double the 2021 figure. Three-quarters (73%) described it as a “major” incident.
Industry is failing
Consumers and enterprise IT bosses underestimate these threats at their peril. From a corporate perspective, security breaches can be a major source of financial and reputational damage. The average cost of a data breach globally today is nearly $4.5m, although in some countries like the US ($9.5m) and sectors like healthcare ($10.9m) it’s far higher.
Breaches lead to downtime, and possible legal and regulatory action, and can derail important digital transformation initiatives. But enhancing mobile security is not just about mitigating risk. It can also be an enabler. Most (85%) respondents to the Verizon report say that flexibility in where staff work and what devices they can use is important to attracting the best new talent.
In the enterprise sphere, IT bosses often have the headache of managing mobile security risk in a BYOD context. This is a challenge because there may be a broad range of user devices and mobile ecosystems to support. Devices may be shared, and users may download risky apps or visit dangerous websites. As NIST explains, they may therefore be exposed to “a greater risk of unauthorised access to sensitive information, email phishing, eavesdropping, misuse of device sensors, or compromise of organisational data due to lost devices to name bit a few risks.”
Despite a market size estimated at around $25bn today, the mobile security industry is failing to meet these challenges. MTD solutions are good at threat protection, but not enforcing corporate security policies like remote lock and data backup. EMM products might be helpful at securing corporate data on devices, but usually don’t include network security features, malware or jailbreak detection, and other important elements. MDM tools are great at enforcing corporate policy remotely, but not necessarily threat defence like anti-malware, app control and phishing protection.
In short, no solutions currently on the market typically offer a full gamut of capabilities across these traditional categories, or collect enough dynamic data to stop advanced threats in their tracks.
A new approach
Pligence offers a different approach. Founder and CEO Hassan Khan spent decades working at some of the world’s biggest IT, cybersecurity and mobility companies. Several years ago he was hit with a realisation: no market player offered a holistic solution to handle enterprise mobile security management and threat defence. The answer was the Pligence Connect, an enterprise mobile security platform offered in three distinct flavours.
Secure Mobile Connect is designed for corporate mobile phone users requiring secure VPN access to the internet and specific non-sensitive corporate network resources. It features a VPN alongside malware and surveillance protection capabilities. Secure BYOD Connect supports secure and controlled access to corporate resources on personal mobile devices. A containerised and securely encrypted workspace separates business and personal realms, and there’s also data loss prevention, remote wipe and centralised reporting/monitoring. Secure Device Connect is designed to enable secure management of company-owned devices, offering complete device management, malware detection, data loss prevention, app whitelisting, location detection, full device encryption and remote wipe.
The key to the platform’s threat prevention capabilities is its data collection and analysis, using intelligent machine learning algorithms to identify existing and novel threats. Pligence crucially also offers a consumer mobile security product, greatly expanding the number of endpoints it can collect threat data from. Inventory management enables efficient tracking of BYOD devices, while security policies can be enforced in a highly granular manner unique to each organisation. For enterprise customers, the benefit of the unified platform is in eliminating the need to handle multiple point solutions for mobility security and management, thereby reducing administrative overheads. This in turn provides a more seamless user experience.
Hitting the ground running
After garnering hundreds of thousands of App Store and Google Play downloads for its consumer product brand Privacy Defender, the focus for Pligence is now on building momentum. Co-Founder Haris Khan, is looking to drive strategic investments, partnerships with ODMs and white label agreements with telcos to grow footprint. On the enterprise side, the firm is looking to Tier 1 and Tier 2 partners.
The mobile security space is ripe for disruption, as governments take action to mandate improved device protection. The UK’s new Product Security and Telecommunications Infrastructure Act 2022 will take effect on 29 April 2024, requiring manufacturers to implement minimum-security standards on all consumer products with internet or network connectivity such as smartphones, smart meters, CCTV cameras and smart speakers. Organisations will also be incentivised to enhance mobile security as cyber-insurance policies become more prescriptive.
By combining integrated mobility management with proactive threat detection built on AI-powered intelligence, there is a tremendous opportunity to help organisations mitigate security, privacy and compliance risk while reducing admin time and costs. It adds up to simplicity, efficiency and cost savings without compromising on security.