No one wants to talk about cyber threats. It’s boring, it’s convoluted, it’s happening to someone else, right? No. It’s here. And it affects enterprises and end-users alike as mobility, while enabling lightning-fast communications and the power to be productive, also attracts potential security risks.
Fax machines and copiers, and of course, the desktop itself, were made specifically with the business in mind, eventually finding themselves in consumer homes. In contrast, smartphones and tablets became popular in the enterprise because of the consumer. And now these devices have extensive access to corporate data and enterprise applications.
According to recent research by Check Point Software Technologies, 45% of businesses globally have five times the amount of personal mobile devices running on their networks as they had two years before. Yet, according to the same report - The Impact of Mobile Devices on Information Security - 63% of businesses do not manage corporate data on personal devices, and 93% have trouble adopting BYOD policies.
“We are taking consumer devices and using them in a business environment which has presented a number of challenges for security departments around the world,” said Steve Durbin, Global Vice President, Information Security Forum (ISF), in an interview with Mobile Enterprise.
A non-profit organization with offices in New York and London, ISF was advising members about BYOD, acceptable usage policies, and whitelisting apps, for several years. (Members come from the Fortune 500 and governmental agencies.) Now, because the market has matured fairly quickly, along with a proliferation of devices and uses, the organization’s advice has switched course: get a better handle on the information the corporation needs to protect, Durbin said.
In fact, trying to keep pace with the new devices hitting the market is an absolute nightmare, he said. “Focus on who should be allowed to access data and from where, and that changes the game.”
“From a hacker’s perspective, I’d rather steal a smartphone than a laptop,” said Grayson Milbourne, Security Intelligence Director, Webroot, to Mobile Enterprise, noting that the former is not likely to be locked yet still has access to information.
With saturation in the smartphone market, the great number of Android devices in use, as well as an exploitable platform prone to fragmentation, it was just a matter of time before hackers focused on smartphones, Milbourne said. (He noted that 60K malicious Android apps are discovered monthly.)
One such recent discovery, by Bluebox, is a vulnerability in Android’s security model “that allows a hacker to modify APK code without breaking an application’s cryptographic signature, to turn any legitimate application into a malicious Trojan, completely unnoticed by the app store, the phone, or the end user.”
Rather than waiting for cyber-thieves to exploit, however, Webroot believes that security can be proactively embraced by both the enterprise and end-user. (In 2011, the company initially marketed a mobile security solution to consumers. Due to BYOD, the company quickly saw a bleed-over to business and introduced an enterprise version in response.)
But it comes down to this: education and implementation. The enterprise needs to inform employees of potential threats, and enforce IT policies and practices. In addition, education also falls on the security industry itself, through thought leadership and research papers.
Policy is Imperative
Mitch Black, President, MOBI Wireless Management, notes that "the emerging trend of BYOD is controversial within companies, and most people are hesitant about adopting a BYOD policy right away." Why is it controversial? Security and personal information concerns, as well as the legal issues related with it, he replied.
However, having a mobile policy in place, and enforcing it, makes it easier to adopt BYOD. "Mobile policy is the foundation, step one, because if you don’t have policy, you are never going to have adherence. Goals regarding security, cost, will not be met," he said.
What About Two-Factor?
Authentication, that is. (The two-factor process requires a user to present multiple credentials before he or she is allowed access to systems which require a login.) Will it help?
Very likely, but enterprises have to know about it first, and again, users have to embrace it. A new Impermium study on consumer perspectives and behaviors regarding cybersecurity shows that 75% of Americans have never signed in using two-factor authentication. Why? Almost a third, 27%, thought it was either inconvenient or intrusive (as in, asking for personal information.)
“One way to make it more inconvenient is to not hassle users when you don’t need to,” said Mark Risher, CEO, Impermium, to Mobile Enterprise. “Have an intelligent system that decides whether or not to bother the user. If a user logged in only 22 hours ago, the corporation can set a ‘reliable risk’ that allows login without prompting the user.”
As the former Yahoo! “Spam Czar,” Risher oversaw solutions for security for millions of users. In his current position, working with enterprise clients and service providers across the United States, he too sees phishing attacks, once the dominion of desktops, increasingly showing up on mobile devices.
“The small screen makes it easier to simulate a fake login page, where information is not scrutinized as much as a desktop,” he explained, adding that desktop users can hover over a link to see what the actual URL is before clicking on it. “That’s not possible on mobile.”
Data is Big
“Stop worrying about whether you’re going to be an Android house or an Apple house or a combination of the two, and start focusing on the corporate information,” Durbin concluded, simply.
The fundamental problem is not about multiplicity of devices but the shortage of security resources, he added. “It’s about prioritization and effectiveness. Focus on what information needs to be protected, then you can figure out how to allow employees to access that information.”
Most importantly, some data, whether due to compliance factors or other legal issues, will never have acceptable security risks when it comes to mobile devices.
So what’s the solution? First define the business requirement, and then figure out if it can be mobile, Durbin suggested.
One last piece of advice: methodically test those apps before they are deployed. Malware often goes undetected for months. Combine relatively unsecure devices and poorly vetted apps, and enterprises might as well hold a party welcoming all cyber-thieves.
“It certainly provides an opportunity for the cybercriminal, whether to monitor, steal information or change data that exists on a corporate environment,” Durbin said. “And it’s not just about what they take out of the enterprise, but what they are able to change.”
Cyber Threat is Real and Mobile
Cyber Attacks: Coming Soon to Your Device
The End of the Internet
Subscribe to our newsletter.