According to the SecureIT Quarterly Malware Report: Q2 2013, there was a 39% increase in virus detections from the first to second quarters of this year, with 1.8 million viruses detected in Q2 2013.
“We anticipate malware authors will continue to evolve their attention to fast-growing mobile platforms in the months to come, but we expect to see an active malware environment in the desktop space as this remains a viable business and personal platform for many users," said Ed Barrett, Vice President of Marketing and Communications, SecurityCoverage Inc.
Actually, desktop malware is enabling hackers to go mobile. The 2013 Mobile Malware Report from BlueCoat Systems showed, “The most successful mobile malware tactics, including scams, spam and phishing, are classics that dominated the threat landscape when malware first moved to the web. These device-agnostic, easy-to-deploy attacks provide a natural crossover point for cybercriminals that are interested in launching attacks against mobile devices.”
And these cybercriminals are not the typical “two Freds in a shed” type of developers. Some rings are being operated like a business with affiliates, marketers and updates, according to an investigation into Russian malware by Lookout. The security company recently reported that it identified 10 “malware headquarters” with organized operations.
Of the key findings, Lookout discovered, “Organized groups of Android malware authors are operating like startups: tapping multiple individuals or organizations for specialization in different business areas, leveraging online tools for promotion and developing affiliate programs.” These malware “families” even release regular code updates to stay ahead of security. Lookout compared them to “agile software companies.”
While this investigation focused on Russia, Lookout noted that it has been actively tracking such incidents since 2010. “Three years later, we’ve seen significant advancements in sophistication and evasion techniques.”
In the case of the Russians, Twitter was used as a distribution channel for the malware, and that leads to the BYOD concern. With the proliferation of employee-owned devices that access corporate data, and that are being used personally as well (to Tweet, for example) enterprises must address the increased security risks.
The BlueCoat Report noted that extending security to mobile devices is “essential” for protecting corporate assets and their employees. “Cybercriminals see the value in these targets as businesses continue to adopt BYOD…”
Yet, corporate policies lag behind the advancement in and amount of mobile malware, and when policies are inconsistent or not enforced, the business impact can be severe. What’s the state of BYOD? A recent TEKsystems survey on the topic showed that existing policies lack clarity —only half of IT leaders (48%) and just a third of IT professionals (35%) believe the policy is crystal clear.
More than half of IT leaders and 65% of IT professionals report that their employers fall within one of three extremes regarding their BYOD policy: either “nothing has been communicated,” “there are no official policy guidelines,” or “employees are not allowed to use their own devices at work.”
Given the threat of a data leak, any employee who does not understand an organization’s stance on BYOD poses a risk. Failure to clarify the company’s policy and educate end users on security best practices creates dangerous assumptions, even among leadership.
For those with BYOD policies, many fail to adequately protect sensitive company data anyway. Alarmingly, 73% of IT leaders and IT professionals believe that sensitive company data is at risk with approximately half that feel 25% or more of their companies’ sensitive data is exposed.
A whopping, 33% of IT leaders and 46% of IT professionals confirm that their organizations do not have the capability to remotely wipe data off employee devices if necessary. Plus, 35% of IT leaders and a quarter of IT professionals are not confident their organizations are compliant with government mandates.
“Organizations have an obligation to protect sensitive data pertaining to their clients and employees,” saaid TEKsystems Research Manager, Jason Hayman. “Without formal BYOD plans in place and consistent execution, organizations leave themselves exposed. Additionally, they may be failing to capitalize on the potential benefits of BYOD, including increases in productivity and collaboration.”
Chris Marsh, Principal Analyst, Enterprise Mobility, Yankee Group, in his article busting mobility myths, offered this advice on security: “Mobile’s ubiquity means that the analytics that are becoming available relating to the user management of devices, applications and networks has applicability for both improved management and enhanced security. Treating the two as conceptually different is legacy thinking and will slow innovation. Companies should look for integrated policy control to drive risk management and GRC contingencies across all mobile assets.”
Bring Your Own Problem
Cyber Threat is Real and Mobile
Ransomware Holds Android Hostage