The Spy Who Robbed Me
Mobile devices have taken the workplace by storm, but the proliferation of these devices has created a new set of security challenges.
After a number of high-profile data breaches and “hacktivist” incidents last year, many companies have focused on protecting their corporate networks. But attacks on mobile devices have been quietly accelerating during the past year as cyber criminals have begun to turn their attention to mobile technology.
Smartphones and tablets hold a trove of information, storing not only phone numbers and email addresses, but meeting dates, documents and text messages. That information is valuable in its own right, but it also can be used to give criminals even more leverage in their efforts to break into corporate networks. Mobile devices also can be turned into high-tech spying devices, sending confidential photos and recordings back to hacker-controlled websites.
Security measures, meanwhile, often are inadequate.
As the risk to mobile technology grows, businesses need strong defenses to keep the devices and their corporate networks secure.
The Mobile Explosion
One of the biggest technology trends of the past few years has been a transition away from traditional desktops and laptops to mobile technology. Sales of smartphones, for instance, came in ahead of sales of personal computers in 2011 and will be nearly twice the PC sales this year, according to a “Business Insider Intelligence” report.
As more people buy mobile devices like smartphones and tablets for personal use, they want to use that same device at work. Companies have responded with “bring your own device” (BYOD) policies. This has led many companies to open corporate networks and data to consumer mobile technology.
A Dimensional Research global survey of IT professionals sponsored by Check Point found that 65 percent of 768 IT pros polled allowed personal devices to connect to corporate networks, and 78 percent said there are more than twice as many personal devices connecting to corporate networks now than there were two years ago.
This puts corporate data at risk. In the survey, 47 percent of IT professionals said customer data was stored on mobile devices, and 71 percent said mobile devices have contributed to increased security incidents.
Generational shifts in the workplace mean that younger workers often expect to be able to use their own mobile device on the job.
A global survey by network security company Fortinet in May and June asked more than 3,000 employees in their 20s about their attitudes about BYOD policies and found that slightly more than half view it as their “right” to use their own mobile devices as work, rather than it being just a “privilege.” One-in-three said they would gladly break any anti-BYOD rules and contravene a company’s security policy that forbids them to use their personal devices at work or for work purposes.
Before companies began allowing employees to use their own devices, the corporate market often gave preference to BlackBerrys because of their enterprise-level security features. In the consumer market, however, BlackBerrys have lost ground to Android smartphones, iPhones and iPads.
Android commanded 59 percent of the worldwide smartphone operating system market share in the first three months of 2012, according to IDC. The iOS platform used by the iPhone had 23 percent of the market, while BlackBerry had only 6.4 percent.
In its survey of IT professionals, Dimensional Research found that Apple’s iOS was the most common platform used, with Google’s Android-based platform coming in third, behind Research in Motion’s BlackBerry.
As mobile devices have proliferated, hackers have begun to increase their attacks.
In its “2011 Mobile Threats Report,” Juniper Networks found that mobile malware attacks reached record levels in 2011 — especially attacks focused on the Android platform.
The Juniper Networks Mobile Threat Center identified a 155 percent increase in mobile malware across all mobile device platforms from 2010 to 2011. In the last seven months of 2011, malware targeting the Android platform jumped 3,325 percent.
Other security firms have also reported a sharp increase in mobile malware.
Security and anti-spam firm McAfee said it collected about 8,000 mobile malware samples in the first quarter of 2012, most of them targeted at the Android platform. Threats that saw major increases included mobile backdoor malware and the popular premium-rate sending malware.
In one recent example, Google’s Android platform was the target of a new variant of a widely used malware capable of stealing personal information, according to a CSO report. The latest Zeus malware masquerades as a premium security app to lure people into downloading the Trojan, according to Kaspersky Lab. The malware steals incoming text messages and sends them to command-and-control servers operated by the attackers.
Meanwhile, consumers and enterprises are also susceptible to a much more mundane risk — the risk of lost or stolen mobile devices. In 2011, Juniper Networks said nearly one-in-five users of its Junos Pulse Mobile Security Suite required a locate command to identify the whereabouts of a mobile device.
Whether they are lost or stolen, or come under attack from malware, mobile devices represent a growing security risk for businesses. Yet many businesses do not have adequate security policies and practices in place.
Managing the Risk
To protect mobile devices from malware and spyware, businesses should have a comprehensive network security and privacy policy that specifically addresses threats from mobile devices.
Companies also should have a chief information officer who oversees the security policy and ensures its implementation throughout the organization.
When it comes to the devices themselves, businesses should take the following steps:
Encrypt Data. One way to protect smartphone data is with encryption. Most Android phones, however, do not have data encryption built into the hardware, which means users will have to rely on third-party applications. BlackBerrys, on the other hand, are known for their encryption capabilities.
Improve Password Strength. Many people do not bother to use a password to protect their devices, or they use one that is too weak. Syrian President Bashar al-Assad made news earlier this year when his personal email account was hacked. His password was one of the most commonly-used: 12345. The string of consecutive numbers is the second-weakest password, according to password management application provider SplashData. “Password” ranked first on SplashData’s list of worst Internet passwords. To improve security, passwords should use a combination of letters, numbers and other characters.
Use Remote Wipe Capabilities. If a device is lost or stolen, businesses need to be able to wipe the contents of the device clean. All major smartphones have some kind of remote erase capability.
Use Network Intrusion Software. It can help businesses identify unauthorized intrusions. Mangers should check logs regularly for unusual activities.
Insurance Solutions
While security measures can reduce the risk of a loss, insurance can help to defray the cost of a data breach or intrusion arising from mobile devices, and a company’s internal network.
Insurance companies offer third-party liability coverage for lawsuits that arise as a result of a data breach or network intrusion. Coverage also is available for first-party expenses, such as privacy notification expenses, the cost to change account numbers, crisis management and public relations expenses, as well as losses from business interruption.
When looking for a cyber insurance policy, look for an insurer that has expertise in handling such risks. Policies vary by insurer, and insurers also offer a range of services to assist businesses in managing cyber risks.
Some insurers, for instance, have panels of legal counsel that can offer guidance in case of a cyber attack. Loss control endorsements that cover preventive measures also are available under some cyber risk policies.
As always, work with a financially strong insurer that has strong claims servicing.
As companies open their corporate networks to consumer mobile devices, they face a risk that the devices might be compromised and be used to gain access to the corporate network.
Mobile devices operating on the Android platform are particularly vulnerable. A comprehensive security policy that includes mobile devices and by taking other steps to protect the devices from malware and to wipe them clean if they are lost, businesses can reduce the risk of a loss.