A security breach is demoralizing and damaging to business, and the resulting clean up is a long and expensive road to travel down. A mobile security breach, in particular, presents a unique challenge, the response plan becomes much more complicated due to the personal nature of a mobile device itself.

With the adoption of BYOD and work emails being accessed on personal devices, a tangled web of data cross-pollination is being created that can present significant security risks.
Wandera research has shown that companies globally spend twice as much cleaning up mobile security breaches than they do on investments in mobile security software. The study also revealed that more than 28 percent of U.S. companies reported having suffered a mobile security breach over the course of a year – with the cost of remedying the breach at $250,000 to $400,000 in many cases.

If a company has a breach, you just replace the CEO, just replace the CEO, maybe replace the CFO and then it just happens again.Erno Doorenspleet, Global Executive Security Advisor, IBM

Before the boom – threat defense

Erno Doorenspleet, Global Executive Security Advisor, IBM, explains the “boom” moment as the moment things go wrong. Before the boom is where mobile threat defense applies. But when defenses are circumvented, the dominos begin to fall.
At Wandera’s annual mobile security conference LEVEL, Erno describes a mobile security breach beginning with a phishing attack. And he’s right to point this out as the first chink in the armor. According to the Verizon Data Breach Report, 90% of data breaches begin with a phish and IBM research also suggests users are 3 x more likely to click on a phishing link on mobile than desktop.
From there, a number of things can happen. In Erno’s example, after the phishing link is clicked, malware is deployed, credentials are stolen, remote access is gained, database is stolen, additional compromises take place and then the boom moment happens.
The boom moment is when the mobile security breach becomes public and the company reputation is at risk. Erno describes the moment a reporter calls the unsuspecting CEO of a breached company with a line of questioning and then asks the audience how they would respond to the questions. The audience looks physically uncomfortable at the thought.

We need to think about our reaction. Hows quick can we be? Do we know what to say? Because saying nothing could also mean that your confirming.Erno Doorenspleet, Global Executive Security Advisor, IBM

After the boom – crisis response

This is where we move into the next phase after the boom moment – crisis response. During this phase the company can be negatively impacted by reputational damage causing social media sentiment to fall, stocks to fall and negative press coverage to come out.
During this phase, a number of crisis response actions can take place depending on the nature of the mobile security breach and the nature of the company affected. These might include updating executives, holding a press conference, undertaking forensic research, notifying third parties, setting up a response website, a legal deposition, or an SEC investigation.

Who should be the best trained person? Should it be the CEO? Should it be the person who has the best contact with the employees and with the press. People’s behavior is very important when you have an attack. You need the right tools, you need the right protection you need to have the right data. Then you need to act upon those components.Erno Doorenspleet, Global Executive Security Advisor, IBM

In the immediate aftermath of a mobile security breach, a business can use data insight to maintain compliance and quantify the risk posed by the attack. Even if a company uses corporate VPNs and encrypted business apps, these are of little help if an employee sends company data to an unapproved cloud storage solution or emails it to themselves so they can ‘work on it at home’.
The day will come when that popular third-party cloud storage app used by employees suffers a breach. When that happens, businesses will need fast access to the data which can help them understand how exposed they are before they can take action.

Transparency is important in mobile security breach response

In 2017, shipping giant Maersk suffered from the NotPetya malware outbreak. According to the company’s chair Jim Hagemann Snabe, basically, all of the companies systems went down. The company had to revert to manual systems while a team reinstalled a complete infrastructure including 4,000 new servers, 45,000 new PCs, and 2,500 applications in just 10 days. An effort that would normally take 6 months. The cost incurred was between $250m and $300m.
Erno discusses this as an example of a well-planned breach response that was centered around transparency. The company was publishing ongoing notifications on social media that explained how it was handling the situation. There was also a commander’s intent sent from the CEO instructing employees to “do what you think is right to serve the customers, don’t wait for headquarters, we’ll accept the cost.”

It’s so easy to complain about companies when they don’t do things right, but Maersk were open and clear. They shared their challenge.Erno Doorenspleet, Global Executive Security Advisor, IBM

Build a security culture

IT teams should re-evaluate their security culture. Some companies attack their own environment to test its resilience. Some have mobile data centers so if they are under attack they can switch on the mobile data center and they are up and running. Some have a runbook that explains who to call and what to do.

This is what I mean by by train as you fight – understand what you need to do, understand how to use the data you have on your endpoints, on your mobile device, to make sure you can make the right decisions.Erno Doorenspleet, Global Executive Security Advisor, IBM

Most IT and security teams are well-versed in what happens before the boom moment, they understand threats, they understand threat defense, but when a breach happens, these teams also need to understand the process after the boom, the crisis response. Because it’s not just about security, it’s about legal, HR and PR too – the whole company needs to be considered when you have a data breach.
[text-blocks id=”mobile-security-landscape-2018″]