Webroot has released an extensive research study into the threat that mobile working poses to business data. In this video George Anderson, Senior Product Marketing Manager at Webroot talks us through the conclusions from the research and offers advice for businesses with remote users.
Webroot have launched a brand new study at Infosecurity Europe 2013 tell us more?
We have been doing lots of research with our customers both around web and mobile and one of the interesting things we wanted to look at especially with some of our remote users on the web have pointed to the fact that people were exposed to getting more breaks and security compromises with remote users so we wanted to find out if the same applied with mobile and in fact we found it precisely the same with mobile that if you got lots of mobile users your chances of getting breached and affected was a lot lot higher than some people with less in particular if it gets over 25% of your staff.
So from the results of your study what have you identified as the main resource drains and associated risks?
I think one of the main things that came out, as the strongest of all was that 90% of the people we surveyed said that they had a challenge in managing the devices in the first place. So I think the main risk in some ways is just getting people to have the tools to actually manage the devices in the first place. There are lots of ways of doing it. People think of using mobile device management if you like, but that is even on another level. I think that if you just think basically about securing your device in the first place, stopping malware getting on there, protecting the assets in case it gets lost or stolen so you don't have to wipe it and do things like that. That is sufficient enough to get you started and that is quite an easy thing to do but people don't realise that it is that easy they think they have got to do something really large and complex but in fact it is quite straight forward.
Are there any surprises from the study?
I think the surprise is the fact that people found out that management was so complex that they were so worried about the challenge of that. Obviously I think people are still worried about personal data versus corporate data and of separating the two but I think that again that is the next level thing and people need to think about just securing the device. I think people were just overawed by the thing I think it was too much and I think people have over complicated what's required. It's just another endpoint, just like another laptop or your desktop PC.
What should businesses consider regarding security in the light of results from the Webroot study?
Do something, because in the end we can all be a bit apathetic about this but I think you need to do something on a number of levels, I think you have got to decide if it a personally owned device, if it is going to access corporate assets and have access to those sort of things you then want to be able to secure that device and have security running on that device. You have got to have a policy that actually says that that happens. It is not a question of oh yes this guy has got a new android phone and I am still connected to the network you have got to take some responsibility about security, it's not complex. You just need to have a policy in place stating what you want to happen on those devices and you want to make sure that they are secured and you want to have some way of enforcing that as well and managing it from a central point of view.
Well it stood out to me that web borne attacks were becoming more severe in companies with mobile users and the majority of companies now have mobile users so surely this defence is something everyone needs to be considering?
It is essential and the web is the part of that. It's people going to fishing sites and we have just launched an anti fishing site and we would have done earlier because we actually showed that on the web 50% of the breaches, but not in this survey but 55% of actual breaches were caused by the web and that's how they are getting infected. That was through fishing. So fishing attacks are really high up so things that protect your web portal when you are using the browser and stopping fishing attacks are very key too. It's all part of being able to protect those npoints adequately and having areas in place to do that.
Have businesses been quick enough to react?
I don't know if I blame businesses or if I blame my own industry here to be frank. I think the take off of smart devices full stop happened at such a phenomenal pace, when you think 2 years ago it was probably back at apple 1 then and now you look at a market where smart phones dominate, you have androids roaring away at a phenomenal rate almost taking a 50% share, apple still going very very strong too although in a slightly different environment. Things have happened so fast that security things have actually reacted quite slowly to these devices. They tended to come in also with senior executives so they bought their tablets in and said I want my tablet to connect to this network so I can work on this device too. Because they were high up and senior people they said okay we can do that. It kind of bypassed the normal controls so I think that happened on one level and I think the security industry itself was slow to see that this convergence was going to happen so we were slow to get technology in place too. So those two things together almost created a perfect storm for a while. I think now that most people have woken up the fact and started doing things about it. In fact, the survey again did show that people were putting things in place. There were very few people saying they were doing nothing and most of them were doing something this year or last year or putting into the following year's budget so it was very current.
Taking into account the rapid pace of change and looking at some of the trends from your report, can you make any predictions for the future on how the threats are going to develop?
Predictions are that it can only get worse, android attacks are rising in the last 1 to 2 years and that will continue to grow and as more and more data starts to exist on those devices the cyber criminals are finding more and more ways of making money from them whether it is stealing the data from them or whether it is to make them phone special numbers or whatever the attack and angle happens to be. So the prediction therefore is that it can only get worse so you are better to do something now about it. I think technically the products have matured rather rapidly as well so there are lots of good solutions out there so go and start protecting now. I think if you are in government or financial institutions or pharmaceutical industry and related industry you will probably need to go past the security level and got onto mobile device management because then there is more of a compliance and regulatory thing and that you have to do that as well. I think for small businesses that is not necessary just secure policies and managing it will be enough.