Over the last five years, mobile devices have become the predominant platform that organisations use to do business. However, the rise of mobile has meant that organisations can no longer rely on security through obscurity. In fact, the industry has seen a rise in security threats specifically targeted at mobile.
Whether security threats are capitalised on by haphazard users, insider threats, or even cybercriminals, the fact is that enterprises are at risk if they provide mobile data access without a well considered security plan in place. Without a proper plan, business may be disrupted and, worse still, valuable data could be exposed.
Below are the top five risks that are posed to mobile devices and the ways to address them.
1. Device vulnerabilities
Most vulnerabilities found on mobile devices have tended to affect the Android operating system, but that balance is changing. For example, the National Vulnerability Database reported that in 2015 there were 375 Apple iOS vulnerabilities.
This may be due to patching not being up-to-date, as updates aren’t always scheduled by enterprises for mobile devices as they are for desktop PCs.
Other vulnerabilities lie in the jailbreaking of devices and the use of custom ROMs on phones instead of the factory-supplied operating systems.
2. Malware and risky apps
While Android has traditionally been seen as the traditional harbingers of mobile malware, last year saw a rise in malware specifically targeting Apple devices. More worryingly, newer iOS malware no longer relies on the device being jailbroken.
For example, XcodeGhost exploited compromised versions of Apple’s Xcode SDK, which is used by developers to create iOS apps, and circumvented Apple’s App Store security review processes. This allowed users to unknowingly download malicious apps from Apple’s curated App Store.
3. User data leakage
Mobile devices, like their desktop counterparts, make it easy for users to copy and paste sensitive information or even take screenshots of important and confidential data.
There is also the problem of data leakage when the developer of an app unintentionally places sensitive information in a location on the mobile device that is easily accessible by other apps on that device. These types of problems stem from the mobile device’s operating system. A hacker can write a small piece of code to access the information stored in these areas.
4. Unauthorised applications on the cloud
While an enterprise may authorise a cloud service such as Salesforce or Box for their employees, there are many applications that leverage these cloud services that enterprise IT may not approve.
The challenge is that the behaviour of these applications is unknown – in some cases apps accessing a cloud platform can potentially synchronise thousands of records to a mobile device without IT’s approval.
Without the proper compensating controls, corporate data provided to these mobile apps can be at significant risk to accidental loss or explicit theft.
5. Unprotected networks
Networks outside of the enterprise’s control can pose threats to data-in-motion when users travel and connect to open Wi-Fi networks.
Open Wi-Fi networks leave data to travel in the clear. A hacker may well be able to eavesdrop on data going to and from your mobile device if you don’t use encryption. Also, there is a lack of verification that a hotspot is genuine.
Rogue access points are one of the most common mobile Wi-Fi threats and used to commit data theft. These can either be set up by employee or an intruder, either way the access point is not sanctioned by an administrator.
Either can lead to a Man-in-the-Middle attack, where hackers insert themselves into a communication between two parties, impersonating both in order to gain access to information.
Managing and securing mobile devices
We have outlined the five big risks posed by mobile device use, but how should enterprises protect themselves against these issues? With enterprise mobility management (EMM) in place, enterprises should be able to deal with these issues with these recommendations:
Enforce compliance – organisations should enforce security policies and quarantine devices that fall out-of-compliance as a minimum.
Don’t blacklist cloud services – Users can gain significant productivity from data access. IT needs to ensure that only managed applications from managed devices, where data is within IT’s control, can access enterprise data – whether on premises or in the cloud.
Integrate App Reputation or Mobile Threat Prevention – These allow organisations to detect malware, app risks, network attacks, and more, while quarantining devices.
Enforce patching – An enterprise should implement a minimum operating system version. While this is easy for iOS devices, Android is more fragmented. But with the right tools, enterprises can identify Android device risks by correlating known vulnerabilities against the Android operating system. Once the vulnerable device is identified it can then be quarantined.
Sean Ginevan is Senior Director, Strategy at MobileIron