Mobile technology advancements continue apace, from faster and more powerful devices to apps that are changing business models overnight. What isn’t changing quickly enough, however, is the means to protect these devices and apps from hackers and other malicious actors. Research shows the gap between concerns and action.
A 2016 survey of 1000 IT executives globally, conducted by Vanson Bourne on behalf of Blackberry, found that the overwhelming majority of executives are worried about risks from mobile computing, with half saying they expect to experience more security breaches through those mobile devices. Yet less than 50 per cent of respondents have a mobile device management strategy in place.
A 2015 survey by Ponemon Institute found that 40 per cent of the 400 organisations studied aren’t scanning the code in their apps for security vulnerabilities and roughly 50 per cent do not devote any budget to mobile security. Given the dominance of mobile apps and devices in the workplace today, these findings are troubling. Mobile malware costs organisations $16.3 million per year, or $9,485 per infected device, and 67 per cent of enterprises have already experienced a mobile data breach, according to a 2016 Ponemon Institute survey conducted for Lookout.
There are likely many reasons behind these gaps in mobile protection —a lack of awareness about mobile security risks, employee backlash on locking down of mobile devices and a lack of expertise, among others factors. Still, the glaring fact remains: many organisations are not adequately prepared to protect corporate networks and data from mobile hackers.
Here are some of the top security risks today related to mobile apps and devices, with some ideas on how to mitigate those risks no matter the size of your organisation.
Over a six-month period in 2015, McAfee scanned the major app stores for security risks, uncovering 37 million pieces of malware. The security firm also reports a dramatic increase in not only the number of new malware, but the sophistication and complexity of mobile malware. As users spend more time on mobile devices, this is where hackers are going and they are succeeding with relative ease.
Companies need solutions to detect malware on employee devices and take action once a risk is discovered. Application Replication Services technology help on the detection side, while mobile management software can quarantine a device and/or or send an alert to IT.
2. OS Compliance
Most Android users are not on the latest versions of the operating system, due partly to the fact that carriers control the updates and they aren’t always delivered in a timely fashion. Compare that scenario to Apple, which pushes updates directly to its customers. Data shows 90 per cent of Apple devices are running the latest version of iOS.
A mobile phone using an older OS brings security risks due to out-of-date security protections, giving hackers access to your corporate network through a mobile app. Mobile management suites, such as Microsoft EMS, can be configured with policies preventing older OS devices from connecting to your network, thereby mitigating corporate risk.
3. Jailbreak detection
Jailbroken devices introduce security risks into the enterprise. To combat this common problem, companies can use a mobile management and security system to alert the IT department when a phone has been jailbroken. From there, IT can take action with that user (including quarantining devices) to prevent further damage.
4. Preventing data leaks
Data leak prevention (DLP) technology blocks employees from sending confidential information to unauthorised users inside or outside the company. Unauthorised sharing happens frequently on email, through attachments. You can also set up rules so that only authorised users can download a sensitive document from a corporate file share.
DLP also prevents copying and pasting information from one place to another. Typically, DLP technologies are embedded within enterprise security software suites.
5. Cloud apps
IT executives no longer view the public cloud as a higher security risk across the board compared with internal infrastructure. Mature platforms such as Microsoft Azure have gone to great lengths to bake security into every level of its infrastructure. For many companies, moving to the cloud is a more secure strategy than running software in-house. Yet not every security risk is covered by the major cloud providers.
It’s always a good idea to work with a security expert who can assess your systems, determine which ones are cloud-ready or not, and make any appropriate fixes. For instance, an older version of a common enterprise software system may not have adequate security to run in the cloud. In that case, you would need to upgrade or customise the software before migration.
6. Advanced Persistent Threats
APTs are sneaky backdoor methods to access corporate systems, used in the widely publicised attack on Sony, RSA and others. APT attacks work when a hacker gains access to an internal system with a low security profile – an infrequently accessed server or application below the radar. From there, hackers collect data and build intelligence over time on corporate security policies, allowing them to conduct a much more damaging breach later.
Threat analytics software, common in Microsoft EMS and other enterprise security systems, can help companies identify hidden threats on the network, such as protocol vulnerability. This allows IT to identify problems before cyber-criminals can gain entry.
7. Single Sign-On (SSO)
Companies use SSO technologies to simplify the login procedures for employees needing access to multiple applications and websites – which includes many workers these days. With companies running more apps in the cloud, SSO needs to extend outside of company walls. As well, many apps running in the cloud require multi-factor authentication for increased security protection. Look for SSO technologies such as Active Directory that meet both of these requirements.
Mobile security risks are growing by the day, and it’s time for companies to give these threats the proper attention. That means investing in people, processes and technology to monitor and manage mobile devices, enforce password control using SSO, control user access through mobile identity management, encrypt sensitive applications and data running on phones and tablets, analyse apps and code for security gaps, identify and thwart malicious code and attackers, and prevent sensitive data leaks.
There are a lot of moving parts in the mobile security landscape; choosing vendors that can provide comprehensive and highly integrated solutions will make the life of IT managers easier while bringing the best possible protection to a company’s precious data assets.
Bharath Shashikumar is Senior Director of Product Management at NetEnrich
Image source: Shutterstock/wk1003mike