Got MDM? You still need mobile security

It is common practice for businesses to implement some kind of central tool to manage smartphones and tablets. Normally, this is done through solutions referred to as mobile device management (MDM), which can ensure mobile devices are configured properly for business use.

MDMs can also be used to mandate certain built-in device security settings, such as device lock-screen and pin code length. It would be a mistake, however, to assume that this provides adequate enterprise-grade security. Such an assumption could leave your organisation exposed to the growing number of cyber threats targeting mobile devices. While MDM provides security-related functionality, its main purpose is to manage the device – as the name implies.

From phishing to malware, network and device-based attacks, mobile devices are targeted by threats every single day. Having a dedicated and robust mobile security solution in addition to an MDM is a necessity to ensure that your business, your employees and your data are effectively protected.

To help you better understand how to holistically secure your organization, here are five key reasons why MDM alone is not sufficient for mobile security.

#1 – MDM is for management…as the name implies.

While MDM solutions may be essential for central management, organisations need to understand the boundaries of an MDM’s capabilities in relation to security. Organisations can use MDM for security-related reasons, such as locating and wiping lost devices, securely distributing enterprise apps,, administering app containers and ensuring the device OS is up to date.

What MDMs don’t do is detect or protect against the full spectrum of mobile threats associated with apps, device integrity, phishing messages and network connectivity. Even in organisations using an MDM and an email filtering solution in place, it was found that employees still received and clicked on phishing links. The rise of mobile phishing was further amplified by  COVID-19, where there was a 37% increase in mobile phishing encounter rates.

#2 – MDMs can’t detect threats.

To effectively detect modern mobile threats, your security solution needs access to comprehensive telemetry. Applying artificial intelligence to telemetry data enables a mobile security solution to automatically detect vulnerable or malicious apps, phishing attacks, device exploits and network attacks.

These are capabilities that MDMs simply do not have. Users that have their mobile devices enrolled under company management can still fall victim to a phishing attack across email, SMS, social media or any other app for that matter. Successful phishing attacks can result in the installation of malicious apps that silently log keystrokes, or persuade the user to simply divulge their credentials. A compromised account can then be used to access corporate accounts and data.

#3 – Remediation is absent in MDM.

Since MDMs do not detect mobile threats they cannot help remediate or even notify users that threats persist on their device.

Mobile security is required to close this gap and enable an organization as well as the user of the device to know if mobile threats continue to persist. Mobile security can also empower the device user to follow step-by-step instructions to remediate the threat, decreasing the administrative burden on the organization’s security team.

#4 – MDM does not ensure Zero Trust mobile access to apps and data. 

Once an employee has enrolled their device with an MDM and configured it to adhere to company policies, they are free to use approved cloud apps and access sensitive data. Such blind trust is particularly dangerous in environments where employees are permitted to use their personal devices for work, to load personal apps onto a work device, and to use the mobile browser for personal web access.

Mobile security provides continuous real-time monitoring for threats, enabling an organization to continuously assess the risk of mobile devices in their fleet, wherever they’re located. In addition, mobile security can integrate with an MDM to enforce policies when the risk level changes because new threats are detected. For example, the MDM can restrict access to cloud apps, virtual-private-network connections and sensitive data.

#5 – MDM doesn’t cover personal devices.

Enabling employees to bring your own device (BYOD) is a common strategy businesses use to provide flexibility to their employees. Appetite for the strategy has now spiked due to the rapid shift to working from home during the COVID-19 pandemic. The trend will continue as the digital transformation of our economy continues and remote workforce becomes permanent. According to Gartner Inc., “Gartner predicts that, by 2022, more than 75% of smartphones used in the enterprise will be BYOD.”* This will force a migration from device-centric management to app- and data-centric management.

Often employees cite privacy concerns when asked to don’t want to enroll under an MDM. One alternative to using an MDM is mobile application management (MAM). The goal of MAM is to contain and manage only the apps employees use, instead of the entire device.

Similar to MDMs, a MAM has no ability to protect against mobile threats directly or enable remediation when threats are detected. Similarly, mobile security is the perfect complement to MAM to secure personal devices that have access to your corporate data.

Why you need a dedicated mobile security solution

Purely relying on MDM to fulfill your mobile security needs will leave your corporate data at risk. You need the real-time detection and protection of a mobile security solution. But you also need the management functions of an MDM. A truly comprehensive mobile strategy will integrate both. As the world settles into the new normal where everyone works remotely permanently, make sure you have the tools in place to secure your workers regardless of where they are.

To learn more about the strengths and weaknesses of mobile device management (MDM), the threats MDM’s are blind to, and how to effectively protect your mobile devices, watch this free webinar provided by Lookout’s Director of Security Solutions, Chris Hazelton

*Gartner “Decision Point for B2E User Authentication,” Paul Rabinovich, 24 September 2019.  (Gartner subscription required)