Establishing a mobile device vulnerability management program

August 23, 2022  |  Kazi Arif

The introduction of mobile devices has rapidly changed the world as we know it, as these small gadgets that are intended to fit into the palm of our hands rapidly gained dominance over our day-to-day activities. Thanks to these portable devices, we now have access to an abundance of information available to us on demand with minimal effort.

Mobile devices have become so powerful that your cellphone contains significant data about you as individual through your data storage, communication activities (social media, e-mail, text messages, audio calls), built-in health and fitness trackers, having access to financial accounts through NFC (near-field-communication) technology payment cards, GPS functionality. All this information that was once considered “personal data” is now contained on these portable devices that are more susceptible to physical theft, man-in-the-middle attacks when connected to unsecure wireless and cellular networks, as well as potential exploitation of vulnerabilities that are typically present on a mobile device operating system.

The periodic release of security updates for mobile devices is an attestation to the fact that the operating system software that runs on your mobile devices are never 100% secure. Data that is stored and processed by mobile devices are at high risk of potential breaches, and therefore business organizations are not factored out of this threat.

Businesses across a wide array of industry verticals are shifting their technological landscape to adapt to a portable ecosystem, by introducing mobile devices. While the presence of mobile devices in a business environment grows, these devices are not being effectively secured through appropriate patch update cycles, and that unauthorized users may also be accessing these company-owned devices.

These mobile devices typically have access to substantial amounts of information and may also literally serve as the “keys to the kingdom” through serving as Multi-Factor Authentication (MFA) tokens to business information systems. An organization may have invested countless hours and resources to secure information technology infrastructure, but all that effort is now simply undermined by the fact that data is longer static within the confines of your organizations firewall perimeter.

Your data is now always on the move with your employees’ mobile devices. As a result, the need for an effective mobile device vulnerability management program is more imperative than ever, in order to consistently identify, track and remediate vulnerabilities, as a way to prevent the exploitation of vulnerabilities that may allow malicious users to gain access to your resources.

mobile security

Mobile devices are not traditionally given a first thought when establishing a formal vulnerability management program. The devices that are typically given first thought include but are not limited to workstations, servers, networking appliances, web applications.

However, new threatening vulnerabilities are discovered and published daily in various vulnerability databases, and many of these discoveries specifically impact mobile devices. Mobile devices must not be overlooked when establishing your vulnerability program. A vulnerability scan can typically discover hundreds of vulnerabilities on your mobile devices, but all it takes to hand over the keys to your kingdom to a malicious actor is the exploitation of one of those vulnerabilities.

Organizations invest a significant amount of resources to secure their IT infrastructure, however these mobile devices now serve as an entry-point directly into the environment, providing access to potentially petabytes of your data. Despite these security concerns in mind, mobile device vulnerability management unfortunately remains an afterthought.

Without a formal vulnerability assessment for mobile devices, undetected vulnerabilities on these devices have the potential to expose your organization to various threats. If vulnerabilities are not actively discovered amongst your mobile devices, these overlooked vulnerabilities will remain dormant within your network, and will not go away on their own. Formal vulnerability management for mobile devices is integral for identifying, mitigating, transferring, and accepting risks identified by the organization.

Leading vulnerability management platforms in the Cybersecurity space can be deployed into most environments with ease. On most mobile devices, all that is needed is a device-based agent (mobile application) to be downloaded and installed from the mobile App Store, and the completion of a one-time enrollment process.

Vulnerability management for mobile devices will provide you with control over your portable devices:

  1. Use industry recognized vulnerability scanning solutions to help you identify and inventory your mobile devices, as well as the data that is stored on them
  2. Provide active vulnerability detection and misconfiguration identification, as well as consolidating software update/patching information
  3. Deploy patches/software updates efficiently
  4. Normalize mobile device data across a wide range of device types/operating systems
  5. Block mobile devices from connecting to unknown wireless networks
  6. Trigger actions on your mobile devices remotely such as locking a user screen, resetting devices, and forcing software updates/removals

An organization should safeguard its mobile devices and have a fundamental understanding of the mobile device assets in use across the enterprise, which can be provided through the inventory and discovery capabilities of current vulnerability scanning solutions. For an organization that may have an extensive inventory of mobile devices, a vulnerability management tool will enable the ability to automate and simplify fundamental tasks involved in securing these devices.

A vulnerability management tool will also identify and provide recommendations on how to mitigate vulnerabilities. In a formal vulnerability management program, organizations should establish documented policies, procedures and standards that define intervals for mobile device vulnerability scanning frequency. Our recommendation is for organizations to perform ongoing scans as frequent as possible, as new vulnerabilities are ongoingly discovered and published and as a result, security patches are available out by mobile device operating system manufacturers.

As the advancement of modern technologies continues to take place at a rapid rate, the capabilities of mobile devices and scope of collected information by these devices will also expand, which will only increase the risk exposure of sensitive data to potential threats.

It is essential that business organizations proactively establish and continuously build upon their formal mobile device vulnerability management programs before a breach occurs, as monetary loss as well as damage to brand reputation from such an incident is challenging to recover from. Establishing a formal security program for mobile devices in your organization’s technology landscape will ultimately protect your employees, customers, and overall business.

Check out AT&T Cybersecurity’s managed vulnerability services with consulting experience to help you establish your program.

Share this with others

Featured resources



2024 Futures Report

Get price Free trial