GDPR will punish lax mobile security. Are you prepared?
The EU’s General Data Protection Regulation (GDPR) went into effect on May 25, 2018, and companies the world over are now racing to address the new rules and achieve compliance. And they’d better, because the penalties for noncompliance are severe — as much as 4 percent of global annual revenue, depending on the nature of the offense.
And yet, urgent as their efforts are, many companies are still not aware of one of their biggest compliance risks: mobile. Mobile devices and apps used in the workplace can easily cause organizations to run afoul of the rules.
The hidden risks of mobile apps
Much of the problem boils down to a lack of visibility. A lot of companies just don’t know what apps their employees are downloading and the dangers that those apps may pose to organizational data.
What sort of dangers? As Slate explains, most mobile apps — even legitimate ones — collect large amounts of data that isn’t necessary for their operation, such as specifics about the device and the user’s physical location. This means that sensitive data could be leaking out via these legitimate yet insecure mobile apps while corporations remain unaware.
In fact, the potential for exfiltration of data via mobile apps is often one of the largest blind spots in corporate security. And this is a huge problem because, under these rules, organizations are required to know whether data is secure and whether any data elements could be used to de-anonymize users and reveal personally identifiable information.
For example, say your company decides to use a third-party app for expense reporting and you encourage all employees to download it. If that app ends up collecting and exporting sensitive data without your knowledge, you’ve just exposed yourself to penalties. Worse, if the app has security vulnerabilities, then those vulnerabilities are on the devices of every employee, putting your organization at risk of data loss — or worse. Even if you didn’t build that app yourself, under GDPR, you’re liable for any data leakage it has caused.
And if you did build that app? Apps built in-house also pose the risk of noncompliance. That’s because developers — even the ones in your company — rely on a common ecosystem of software development kits and third-party software libraries to build their apps. As a result, they don’t always fully understand the data that is being collected or where it’s going. This, in turn, makes it more difficult to secure data and protect it properly.
Visibility means going beyond EMM
Many companies assume they have mobile security covered with their enterprise mobility management (EMM) tools. But EMM alone does not keep all mobile data safe and in compliance. EMM can tell you which apps are installed on employee devices, but it can’t tell you what those apps do and whether they present data-leakage risks or compliance concerns.
If your company is not currently monitoring mobile risks, you need to start now — or risk penalties for noncompliance. The first step is to gain visibility into your mobile risks. You need to understand exactly what mobile apps are running and what threats they pose. When you have achieved this visibility, then you can start to make informed decisions regarding which apps you allow employees to use and what permissions within these apps you need to restrict. You can build an enforcement campaign by creating and maintaining whitelists and blacklists of apps that do or don’t comply.
Many companies are aware they have a compliance issue, but they are overwhelmed by the scope of the problem. Traditionally, companies did penetration testing to guard against vulnerabilities. But this is a slow, manual process designed for enterprise software packages. It’s not practical for today’s mobile environments, in which employees could be running thousands of different apps. How in the world can you keep track of all those apps? And how can you manage all the new versions that come out each month?
Automating mobile app security
This is where automation comes in. There are now mobile security solutions that can automatically analyze millions of apps in real time to determine their risk levels and ensure that the apps comply with a corporation’s specific security, privacy and regulatory policies.
When a particular app does pose a risk, these solutions can then send an immediate alert to employees and security teams instructing them to take action and remove that app. Some mobile security solutions even recommend alternative apps that are safer to use.
These solutions will protect your company against GDPR violations and, as a bonus, will constantly remind your workforce of the importance of data security. Employees have a large and direct influence on the overall security posture of any organization because they’re on the front lines. If they’re aware of data security concerns, they’ll be able to make better judgments about which apps to install.
It’s always in your best interest to empower users to make better decisions about the apps they download — and there are many good tools now available. Some enable employees to investigate apps before they install them to make sure they’re secure and don’t place data at risk. By empowering your employees to self-manage their app use, you’ll better protect your company against data leaks while ensuring compliance.
A good mobile security solution will also allow you to align your app compliance policies with customizable policy controls. For example, say an app wants permission to collect calendar information. Even though that action is not overtly malicious, this is not the kind of app you want on the devices of your employees in the EU, travel to the EU or otherwise fall under GDPR jurisdiction.
App security strong enough for GDPR
With the right tool, you can set and enforce policies and gain control of apps that access data such as calendar information or user credentials. You can keep them off of employee devices of workers that are based in the EU, or who frequently visit the EU while allowing them on the devices of employees who are entirely US-based.
With the arrival of GDPR, the data stakes are higher than ever. Don’t gamble. Demonstrate compliance by taking the necessary steps to detect mobile risks and secure mobile data. Implement the tools you need to gain actionable intelligence, detect and prevent threats — and avoid crippling penalties.