There has been a lot of uncertainty pertaining to mobile security because of the fact that this is a fairly nascent area that has seen very little development so far. Often, developers focus on things like performance, UI and UX, etc. and security takes a backseat. Even as a business, the early focus is mostly on acquiring new customers with every penny that you can spend. To be honest, mobile security is actually not so difficult to implement. In fact, no matter what stage of business you are in, there is definitely a few things you can quickly take care of.
"Through 2020, 99% of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” - Gartner
This post helps demystify a lot of mobile security myths that cloud the vision and planning of many developers and business owners towards mobile security. I would advise you to read the following myths once so that you de-learn yourself. De-learning would be necessary if you want to clear out the rumors and differentiate what is right and what is wrong.
1) Public app stores are safe because they have security filters
Enterprises/companies need to create their own download procedure so that you have full administration right which can monitor the threat. Vulnerability on the app will compromise your mobile security and there might be a chance of data leak or theft. It is true, that Apple and Alphabet take measures to ensure the app is secure, but at Appknox we found that 75% of the apps in the public app stores do not pass basic security checks. Here is a good read for you: 10 Reasons Why Apple Rejects Apps From The App Store.
2) Mobile security evaluations in IT audits can be ignored
Usually, IT audits are made on specific devices, machines and computers. Many organization misses auditing personal devices of employees to see whether the security measures matches their policy. Focusing on employee devices same as they do in network and computers will be one step ahead in mobile security. Here's an infographic that shows why you SHOULD care about mobile security.
3) PCs are more secure than mobile phones
Mobile devices contain less data than personal computers which means that the risk of data loss is more on computers than on mobile phones. Mobile phones are handier than computers and that is why security can be more flexible. Most of the smartphones use cloud to store centralized data unlike computers, which means that data recovery is more plausible on smartphones rather than computers.
4) Two-factor authentication can be neglected for mobile security
Since mobile phones are handier, there is a higher chance that it will be getting lost regardless of your presence of mind. A two-factor authentication guarantees to stop the sign-in from someone else other than you because apart from User ID and Password, there is an additional sign-in code that is required. That sign-in code can be redirected to another device or can be on the same device.
5) Data encryption is not required for mobile devices.
You are vulnerable to the exploit from the hackers if your company does not implement data encryption of mobile devices which will hamper overall mobile security. For some reasons if the cloud storage is not available, the person in a field will use localized storage which will contain special notes, sales flows, contact lists, photos and other sensitive information. Thus, data encryption is a must for a complete mobile security.
6) BYOD security policies are confusing and complicated
You can sign up for BYOD policy instead of using enterprise-issued device. The guidelines of the IT department include monitoring of certain applications and administration of few mobile applications. As long as your device is ready to meet these needs, there is hardly any difference between an enterprise-issued device and bringing your own device.
7) Mobile devices have more security software vulnerabilities than PCs
PCs have more layers of coding in their Operating System, their OS is much more exhaustive than mobile phones. Mobile phones are always with the users, which means that the IT department has to put more effort to deliver new security and software patches as soon as they are available.