The early 2000s was a unique time in the history of computer security. From 2000-2003, there was a proliferation of malicious code unlike any other period in the history of computers. With names like Slammer, Blaster, Code Red, and Nimda, nearly every month saw an outbreak of malicious code on computers in every enterprise. Estimates at the time placed malware infection rates at about 100 in 1,000 of devices every month.
The entire industry learned its lesson. That period spawned the creation of a large portion of the current cybersecurity industry, and caused a change in strategy for many large firms, most notably Microsoft. We swore we wouldn’t let it happen again, and we didn’t. Enterprise malware infection rates are in the fractions of a percentage point per year.
On PCs, anyway.
In the mobile world, we have created the same type of ecosystem, where malicious code is proliferating wildly. At Lookout’s enterprise customers, we’re seeing nearly 30 in 1,000 mobile devices encounter threats.
The cybersecurity landscape is changing
The main reason that it’s only 30 and not 100 isn’t because the industry is doing a great job of securing mobile devices: it’s because the mobile ecosystem is just becoming a key driver of business and many cybercriminals are still focused on PCs. It is similar to 1997-1999, when the main cybersecurity threat that most businesses worried about was an employee downloading infected shareware from a download site, because the business wasn’t completely 'digitally enabled' yet.
With the proliferation of 'professional class' mobile devices like the iPad Pro, more and more business will be using a mobile platform rather than the traditional PC, drawing the cybercriminals’ attentions to mobile devices. We already see indications of increased experimentation and sophistication with mobile threats, such as NotCompatible, Shuanet, and XcodeGhost.
Today, enterprise employees mostly have mobile access only to email and a few business-related apps, like CRM or expenses. But with enterprise app development exploding, workers will soon be using mobile devices to consume, create, and share just as much, if not more, enterprise data, than they do on their laptops or desktops.
And enterprises, only a small number of which have begun to focus on actually protecting, not just managing, their fleets of corporate-owned and BYO mobile devices, will likely be caught flat-footed.
Is your enterprise truly secure on mobile?
Talking to enterprise chief security executives, one hears the same kind of complacency that we heard in the 90s. 'We don’t have a mobile security problem,' the head of a large financial services company’s security programme told me recently.
Unfortunately, that’s the main problem with cybersecurity: the threat environment evolves incredibly quickly. We didn’t have a security 'problem' in 1999. By 2001, we had seen millions of computers infected across the Internet and businesses were disabled on a monthly basis having to cleanup malware infections. Those enterprises that weren’t moving on building an effective security programme in 1999 and 2000 spent a significant amount more on cleanup than those who did.
And that was a time when businesses weren’t nearly as reliant on their computing assets as we are now. Which is why we have invested so much to protect our PCs. Almost no company would consider not installing security software like antivirus on their enterprise PCs.
And yet, only the most forward-thinking organisations are installing security software on their mobile devices. Many install enterprise mobility management (EMM) software, but that’s not the same. We see mobile malware already that is circumventing EMM software by being 'sideloaded' after a user visits a malicious website or clicks on a link in a phishing email on their mobile phone. Indeed, we don’t see any decrease in mobile threat encounter rates on devices with EMM installed.
Only the few who are preparing now will be ready as their mobile programmes expand. IDC predicts that 'IT spending on mobility-related products, projects, and initiatives will grow from 25 percent of IT budgets in 2015 to 40 percent of large (>1,000 employees) enterprise IT budgets in 2018.' But their security programmes largely aren’t keeping up.
As businesses rely more on mobile, it’s clear that we’re ripe to get Slammed or Blasted again.
Mike Murray, VP Security Research at Lookout