I don’t know if cybercriminals could have designed a riskier threat vector than unmanaged mobile phones, tablets, or other devices. They’re the perfect storm of risks: users open more emails on their phones than on desktops, and those emails are harder to scrutinize on a smaller screen than they are on desktop devices. Employees typically use personal phones to access professional resources, and those devices don’t have the same security capabilities as managed devices.

And the worst risk of all? Unmanaged devices and BYOD are now a fixture of the work-from-anywhere economy. They’re a problem that we’re stuck with, and, increasingly, a way in for threat actors: last year, 60% of endpoints accessing enterprise assets were mobile devices. That same year, the Verizon Mobile Security Index found that 60% of businesses allowed mobile users to access email on their own phones and tablets.

More mobile traffic means more cybersecurity incidents: overall mobile-related compromise doubled from 2021 to 2022, and 61% of companies “with a global presence” were likely to be affected by a mobile-related breach. The impact of those attacks is also getting worse: 73% of organizations that experienced mobile-related compromise described it as a “major” incident. IBM’s Cost of a Data Breach Report 2023 found that the average data breach costs organizations $4.45 million—and that remote workforces tend to be a cost amplifier when pricing out cybersecurity incidents. It’s no wonder that the 2023 RSA ID IQレポート found that 97% of self-described cybersecurity experts believed that unmanaged devices are prime targets for identity compromise.

Mobile device security is cybersecurity

Last year, it was clear to one of our customers—and one of the world’s largest financial services organizations—that those trends represented a problem. Because just one compromised device could have led to unauthorized access that put their IP, sensitive data, data, and brand at significant risk, they asked RSA to work with Zimperium to secure users’ mobile phones and tablets. That request led to the development of RSA® Mobile Lock, which delivers both security and convenience to keep users’ devices safe.

RSA Mobile Lock can be deployed as part of the RSA Authenticator App for iOS and Android. When RSA Mobile Lock detects a critical threat on a user’s device, it restricts any authentication using our app—that means that any threats or bad actors on a mobile device can’t authenticate into a secured environment or access sensitive data.

RSA Mobile Lock balances security, convenience, and users’ preferences. With the rise of ‘Bossware’ and ‘Tattleware’, users don’t want to install corporate security solutions on their personal devices, and asking non-employees like contractors or clients to install a third-party security solution is a non-starter.

RSA caters to that preference by building RSA Mobile Lock directly into the RSA Authenticator App for iOS and Android: users don’t need to install and manage a third-party mobile app on their phone for the additional security features the solution provides. Like the best security solutions, it’s invisible and frictionless for users most of the time.

When it does detect threats, RSA Mobile Lock only restricts the RSA authenticator. Every other feature on the device, including calls, texts, email, and web browsing remains unaffected and operational.

Stop mobile security threats from spreading

Since launching RSA Mobile Lock, we’ve made additional updates to account for evolving mobile security threats. Now, admins can configure their RSA Mobile Lock deployment and set policies for an expanded catalog of threats, including whether the device is compromised by a malicious iOS profile or malicious apps, system tampering, man-in-the-middle attacks, malware, spyware, as well as other device- and compliance-based threats.

Admins can also now see the full list of devices that Mobile Lock protects across their ID Plus deployment. Using new dashboards, admins can also see summary and detailed views of the threats that RSA Mobile Lock detects to better understand the risks targeting their users and respond to their security vulnerabilities.

Mobile Device Management doesn't detect critical cybersecurity vulnerabilities

Mobile Device Management (MDM) provides basic management services on phones, tablets, and other devices. And while MDM solutions can track devices, help IT departments deploy updates, provision entitlements, they’re not built to secure mobile devices. MDM can’t look for zero days, malware, or other-hacker led device exploits. Moreover, employees, contractors, and clients loathe installing MDM solutions on their personal phones.

RSA Mobile Lock isn’t an MDM solution. It scans for the mobile security vulnerabilities that MDM misses—and that can cost organizations big: IBM’s report found that one of the most frequent causes of data breaches were unknown zero-day security vulnerabilities, which cost organizations $4.45 million per breach.

That said, RSA Mobile Lock can complement MDM, EMM, or MTD solutions if an organization is using them. For instance, an organization can use MTD on managed devices and RSA Mobile Lock on managed or unmanaged devices.

See the following for more information about how RSA Mobile Lock is different from EMM, MDM, MTD and a summary of the Mobile Lock threat catalog:

RSA Mobile Lock Versus EMM, MDM, and MTD

EMM, MDM, and MTD
RSA Mobile Lock

Contracting
Separate commercial relationship required
Add-on component to RSA ID Plus C1, E1, and E2 and included with E3 packages

Installation
Separate installation required
Part of the RSA Authenticator app for iOS and Android

Behavior
Always on, always scanning, and can slow down other apps
Only active when RSA Authenticator app is running, does not affect other apps or device behavior

UX
High degree of frustration and pushback from users, particularly from employees asked to install software on personal devices and from non-employees like contractors and clients
RSA Mobile Lock is deployed as part of the RSA Authenticator app; no action from users required

セキュリティ
Risk detection for out-of-date operating systems, no PIN passcode set, or standard user jail breaks
Advanced security monitoring for a large catalog of threats, including zero-days and other malware, fake Wi-Fi and man-in-the-middle attacks, and other hacker-led device exploits

RSA Mobile Lock Versus EMM, MDM, and MTD

Contracting
EMM, MDM, and MTD:
Separate commercial relationship required
RSA Mobile Lock:
Add-on component to RSA ID Plus C1, E1, and E2 subscription packages, and included in E3 packages

Installation
EMM, MDM, and MTD:
Separate installation required
RSA Mobile Lock:
Part of the RSA Authenticator app for iOS and Android

Behavior
EMM, MDM, and MTD:
Always on, always scanning, and can slow down other apps
RSA Mobile Lock:
Only active when RSA Authenticator app is running, does not affect other apps or device behavior

UX
EMM, MDM, and MTD:
High degree of frustration and pushback from users, particularly from employees asked to install software on personal devices and from non-employees like contractors and clients
RSA Mobile Lock:
RSA Mobile Lock is deployed as part of the RSA Authenticator app; no action from users required

セキュリティ
EMM, MDM, and MTD:
Risk detection for out-of-date operating systems, no PIN passcode set, or standard user jail breaks
RSA Mobile Lock:
Advanced security monitoring for a large catalog of threats, including zero-days and other malware, fake Wi-Fi and man-in-the-middle attacks, and other hacker-led device exploits

RSA Mobile Lock Threat Catalog

See the following for some of the default, device-, and compliance-based cyber threats RSA Mobile Lock can detect. For a demonstration of RSA Mobile Lock, contact RSA sales

Default critical threats
App tampering
System tampering
Man-in-the-middle or SSL Stripping attacks

Device-based threats
App debug enabled
App running on emulator
Device Jailbroken/Rooted

Compliance-based threats
Device PIN not set
Vulnerable upgradable operating system
Vulnerable non-upgradable OS

RSA Mobile Lock Threat Catalog

See the following for some of the default, device-, and compliance-based cyber threats RSA Mobile Lock can detect. For a demonstration of RSA Mobile Lock, contact RSA sales

Default critical threats
App tampering
System tampering
Man-in-the-middle or SSL Stripping attacks

Device-based threats
App debug enabled
App running on emulator
Device Jailbroken/Rooted

Compliance-based threats
Device PIN not set
Vulnerable upgradable operating system
Vulnerable non-upgradable OS