The best code you’ll ever write is the code you write with your customers. That’s what happened in 2022, when one of our customers—and one of the world’s largest financial services organizations—told us they had a problem: they needed to secure users’ unmanaged devices.
This need wasn’t unique to this customer, or even to financial services generally. The global pandemic, financial headwinds, and remote work have all made unmanaged devices a fixture of the work-from-anywhere economy. Organizations don’t want to pay for every cellphone, laptop, and tablet. Employees don’t want their employers to install software on their phones.
While unmanaged devices may help an organization’s bottom line, they still come at a high cost. By their very nature, unmanaged devices aren’t as secure as managed hardware. And threat actors are taking notice: Verizon’s 2022 Mobile Security Index found that mobile-related compromise had doubled from 2021 to 2022. About one-fifth of successful phishing emails come from mobile devices, per the 2022 Verizon Data Breach Investigations Report.
And it’s not just that organizations are encountering more breaches—it’s that those breaches have an even deeper impact: 73% of organizations that experienced a mobile-related compromise described it as a “major” breach. The 2022 IBM Cost of a Data Breach Report found that “costs where remote working was a factor in causing a breach” were roughly $1 million more than when employees were on site.
Unmanaged devices expand the attack surface, are inherently less secure than managed hardware, and are still necessary to doing business. Our customer wanted to have their cybersecurity cake and eat the cost savings, too. At the same time, cybercriminals wanted to poison the cake, burn down the kitchen, and ransom the recipes.
We found a way forward by working with Zimperium to develop RSA Mobile Lock, which prevents risks and detects on-device threats.
Mobile Lock is automatically deployed as part of the RSA Authenticator App—it’s not a second app that users need to manage. Once installed, Mobile Lock scans for critical risks like jailbroken devices, suspicious apps, elevation of privileges, man-in-the-middle attacks, and other threats. If it detects a threat, Mobile Lock restricts users from using the RSA Authenticator. When it detects a threat, Mobile Lock leaves all other systems on the device unaffected—a user can still call, text, connect to the Internet and, ideally, contact their IT department to resolve the issue.
Mobile Lock addressed our customer’s problem—they can now establish trust in unmanaged mobile devices. Since launching the solution in October 2022, we’re seeing early signs of massive uptake in the solution, with additional customers in healthcare, manufacturing and supply chain, and other financial services adopting Mobile Lock.
The growing number of unmanaged devices is a major accelerant driving explosive growth in the attack surface: increasing users, entitlements, and environments are making larger, more interconnected, and more vulnerable IT universes.
The Global Mobile Threat Report and some of the highest-profile breaches in recent memory—including Colonial Pipeline, SolarWinds, and LAPSUS$—demonstrate how threat actors are successfully exploiting that growth. Zimperium’s observation that the volume and sophistication of attacks are increasing significantly is absolutely correct.
If anything, that’s putting it too lightly: there’s simply too much spread across too many fragmented security solutions for humans to process at speed or scale. Today, I can’t expect my security team to review everything—instead, I need them to prioritize the right thing. And the only way to do that is with automated intelligence solutions that find the signal in the noise, triage risks, and automate responses.
Our initial version of Mobile Lock was a great start at delivering those capabilities, but it was just a start. Cybersecurity’s way forward demands a comprehensive approach that ingests signals, risks, and threats across the entire IT estate and at every stage of the identity lifecycle. The next version of Mobile Lock will do just that: it will review a broader array of signals, risks, and threats, and build that intelligence into a broader security fabric.
Mobile Lock v1 solved the last problem—Mobile Lock v2 will get in front of the next problem. That’s right where we need to be for our customers.
###
This article appears in the Zimperium 2023 Global Mobile Threat Report.