I don’t know if cybercriminals could have designed a riskier threat vector than unmanaged mobile phones, tablets, or other devices. They’re the perfect storm of risks: users open more emails on their phones than on desktops, and those emails are harder to scrutinize on a smaller screen than they are on desktop devices. Employees typically use personal phones to access professional resources, and those devices don’t have the same security capabilities as managed devices.
And the worst risk of all? Unmanaged devices and BYOD are now a fixture of the work-from-anywhere economy. They’re a problem that we’re stuck with, and, increasingly, a way in for threat actors: last year, 60% of endpoints accessing enterprise assets were mobile devices. That same year, the Verizon Mobile Security Index found that 60% of businesses allowed mobile users to access email on their own phones and tablets.
More mobile traffic means more cybersecurity incidents: overall mobile-related compromise doubled from 2021 to 2022, and 61% of companies “with a global presence” were likely to be affected by a mobile-related breach. The impact of those attacks is also getting worse: 73% of organizations that experienced mobile-related compromise described it as a “major” incident. IBM’s Cost of a Data Breach Report 2023 found that the average data breach costs organizations $4.45 million—and that remote workforces tend to be a cost amplifier when pricing out cybersecurity incidents. It’s no wonder that the 2023 RSA ID IQ Report found that 97% of self-described cybersecurity experts believed that unmanaged devices are prime targets for identity compromise.
Last year, it was clear to one of our customers—and one of the world’s largest financial services organizations—that those trends represented a problem. Because just one compromised device could have led to unauthorized access that put their IP, sensitive data, data, and brand at significant risk, they asked RSA to work with Zimperium to secure users’ mobile phones and tablets. That request led to the development of RSA® Mobile Lock, which delivers both security and convenience to keep users’ devices safe.
RSA Mobile Lock can be deployed as part of the RSA Authenticator App for iOS and Android. When RSA Mobile Lock detects a critical threat on a user’s device, it restricts any authentication using our app—that means that any threats or bad actors on a mobile device can’t authenticate into a secured environment or access sensitive data.
RSA Mobile Lock balances security, convenience, and users’ preferences. With the rise of ‘Bossware’ and ‘Tattleware’, users don’t want to install corporate security solutions on their personal devices, and asking non-employees like contractors or clients to install a third-party security solution is a non-starter.
RSA caters to that preference by building RSA Mobile Lock directly into the RSA Authenticator App for iOS and Android: users don’t need to install and manage a third-party mobile app on their phone for the additional security features the solution provides. Like the best security solutions, it’s invisible and frictionless for users most of the time.
When it does detect threats, RSA Mobile Lock only restricts the RSA authenticator. Every other feature on the device, including calls, texts, email, and web browsing remains unaffected and operational.
Since launching RSA Mobile Lock, we’ve made additional updates to account for evolving mobile security threats. Now, admins can configure their RSA Mobile Lock deployment and set policies for an expanded catalog of threats, including whether the device is compromised by a malicious iOS profile or malicious apps, system tampering, man-in-the-middle attacks, malware, spyware, as well as other device- and compliance-based threats.
Admins can also now see the full list of devices that Mobile Lock protects across their ID Plus deployment. Using new dashboards, admins can also see summary and detailed views of the threats that RSA Mobile Lock detects to better understand the risks targeting their users and respond to their security vulnerabilities.
Mobile Device Management (MDM) provides basic management services on phones, tablets, and other devices. And while MDM solutions can track devices, help IT departments deploy updates, provision entitlements, they’re not built to secure mobile devices. MDM can’t look for zero days, malware, or other-hacker led device exploits. Moreover, employees, contractors, and clients loathe installing MDM solutions on their personal phones.
RSA Mobile Lock isn’t an MDM solution. It scans for the mobile security vulnerabilities that MDM misses—and that can cost organizations big: IBM’s report found that one of the most frequent causes of data breaches were unknown zero-day security vulnerabilities, which cost organizations $4.45 million per breach.
That said, RSA Mobile Lock can complement MDM, EMM, or MTD solutions if an organization is using them. For instance, an organization can use MTD on managed devices and RSA Mobile Lock on managed or unmanaged devices.
See the following for more information about how RSA Mobile Lock is different from EMM, MDM, MTD and a summary of the Mobile Lock threat catalog:
