Danger ahead: The mobile threat landscape

With more than 6 billion records lost since 2013 in data breaches, according to the Gemalto Breach Level Index, it’s clear that security has to be a top priority for any business. And with the number of mobile devices expected to hit more than 6 billion by 2020, mobile has become a key target for hackers, and thus a key concern for enterprise, especially as BYOD continues to grow.

The biggest mobile risks to the enterprise

The rising popularity of mobile and cloud technologies are driving massive changes in organisations. One area of concern is the rise in cloud-connected apps, both for personal use and in the workplace. While cloud connected apps are a necessity for employee productivity, they pose a large security threat to organisations if not managed properly.

Employees may store corporate documents on personal Enterprise File Sync and Sharing (EFSS) apps, putting sensitive corporate data outside of IT's protection. Our report on the State of App Security revealed that five of the top ten consumer apps that are blacklisted by our customers are EFSS apps.

The challenge with devices and apps is that the user, and not the IT administrator, is generally in control, especially when it comes to BYOD. And if not managed correctly, employees are allowed to connect to potentially insecure services, and they are also likely to use their personal accounts to share corporate data.

Managing multiple mobile devices

Another area of concern for BYOD devices is using public Wi-Fi: rogue access points, or 'evil twin' networks can be set up to steal unencrypted data being sent unknowingly via them. These 'Man-in-the-Middle' attacks have been around for over a decade. As long as employees travel and connect to public Wi-Fi networks, we'll have Man-in-the-Middle threats allowing interception of sensitive corporate data.

And then there are the mobile devices themselves. It’s straightforward for an IT department to keep laptops up to date, but when users have mobile devices that range from elderly Android devices running an out-of-date OS, rooted devices running custom ROMs and jailbroken iPhones, to the latest tablets that themselves might be up to date but which are home to any number of potentially risky apps, that’s a huge task for the security team to manage.

iOS devices dominate the enterprise, with 78 per cent of enterprise devices using iOS, according to MobileIron’s Q4 Security and Risk Review. However, devices that are jailbroken or compromised can pose a security threat to businesses as hackers turn their attention to this platform.

Hackers are always one step ahead of the game: the latest threat to iOS is 'sandjacking', where legitimate apps can be replaced with malicious ones without the user’s knowledge. This is compounded by the fact that Apple is notoriously slow to patch vulnerabilities and often leaves older devices unprotected.

Devices fall out of compliance for a variety of reasons. For example, if the device is running an old version of the operating system that IT is no longer supporting, or if the user installs an app that IT has blacklisted. Our State of App security report revealed that one in ten enterprises has at least one compromised device accessing enterprise data, and that more than 53 per cent of enterprises have at least one device that is not in compliance with corporate security policies.

Staying one step ahead of the game

So how can the IT team keep on top of the threat landscape? Forcing compliance is always tricky: for example, users often disable PINs because they’re a hassle – we found that 22 per cent of the businesses surveyed had users who had done just that.

Our advice is to be tough with employee mobile devices: enforce compliance and quarantine devices that are non-compliant, and enforce patching of BYOD devices so that they remain up to date. If IT administrators don't automate the quarantining of devices when they fall out of compliance, corporate data can be put at risk.

Unfortunately, for IT administrators, traditional approaches to IT security won’t work with next-generation mobile threats. Many enterprises are still trying to address the risks of cloud storage applications by blacklisting common cloud EFSS apps.

When it comes to the cloud, enterprises need to stop trying to play whack-a-mole against the ever-growing number of services and instead deploy solutions that provide a secure cloud service for employees, controlling the dissemination of enterprise data, rather than prohibiting certain tools or services. This will require a mind-set shift from one of restriction to one of enablement.

It’s also important that operating systems are kept up to date, and you can enforce this by taking this off the hands of the users. Patching is more simple with iOS, but becomes more complex with Android devices. However, there are solutions available that identify Android device risks by correlating known vulnerabilities against the Android operating system. These solutions can then notify the IT team when a vulnerable device has been detected so the device can be quarantined.

We also recommend monitoring solutions that detect risks from malicious apps and confine devices until the threat is mitigated, either by the user or the IT security team.

The threat landscape is constantly changing, but with a smart new approach to risk management and security solutions, you can fight back – and win the battle of mobile security.

Sean Ginevan, Senior Director of Strategy, MobileIron

Image source: Shutterstock/BeeBright