Companies have always been under attack from hackers, but more recently, organisations have been dealing with the security implications of the arrival of mobile devices in the workforce.
This has added a range of new threat possibilities which companies do not necessarily have control over, as well as some threats from the age of the PC that have been updated for a new form factor.
CBR looks at some of the big mobile threats to businesses and the solutions that are available.
1. Malware
According to a report by AppRiver, the levels of spam and malware email traffic recorded during Q1 2016 have already surpassed the total levels documented during the whole of 2015. This totalled 2.3 billion malicious email messages, with 1.7 billion in March.
On the rise is ransomware, a malware which encrypts all information on a device and will not unlock it unless a certain sum is paid.
Solution: With malware, prevention is better than cure, because often it is not possible to get rid of it once downloaded to the device.
There are many antivirus and firewall products on the market which can help to protect the whole enterprise network including the mobile devices.
However, in a more basic sense, policy and education can do a lot to stop malware. Knowing how to spot a well-tailored phishing attack and avoiding clicking on dangerous links in emails can stop the antivirus solutions from ever having to be used.
As for ransomware, it is important to regularly back up all data on a device to ensure that if it does get encrypted, the device can be reset without loss of data.
2. Networks
Due to the costs of data, especially when abroad, it can be tempting for mobile device owners to seek out the nearest wi-fi network as a matter of priority.
This mentality ignores the extensive dangers presented by fake and unsecured wi-fi hotspots, which can be deployed by hackers in public spaces to try and capture information from unsuspecting mobile device users.
A fake wi-fi hotspot might masquerade as the local network in a public space. An unlocked wi-fi hotspot might simply be a home or work wi-fi that doesn’t require a password. Hackers can access these to get at the information.
Solution: Check the authenticity of the network that you are connecting to. According to a blog by Bill Supernor, CTO at Koolspan, checking the URL to see if you are connected to an HTTPS website then the information is secure.
3. Physical loss
Many major UK government ministers have got in trouble for leaving confidential plans on trains or in public. The traditional mistake was to leave actual physical documents, although USBs are becoming an increasing threat.
However, losing mobile devices should now be considered as part of any robust security plan, since if a corporate device is not properly secured it could provide an easy route into an enterprise’s documents.
Solution: From an individual device owner’s perspective, basic protections such as having password protection can deter an unsophisticated hacker.
If the IT department has control over or access to the device, as will likely be the case if they have issued the device specifically for an employee to do work on, there are additional options.
Many mobile device management solutions provide protocols for wiping information from the device if it is lost. Depending on the sophistication of the policies in place, this may simply be a crude factory reset of the device, or a segmented deletion.
Google Apps for example offers this capability, as long as the right policy is configured, as does IBM Maas360. However, this must be deployed before the device is lost to be of any use.
4. Rogue apps
Most people will only use the main app stores to download their applications. For iOS users in particular, Apple carefully vets the App Store to prevent malicious apps from being uploaded. The Play Store for Android provides some security as well against rogue applications, although not as much as the App Store.
However, both Android and iOS devices can download applications that have not been vetted at all if they are rooted (Android) or jailbroken (iOS). Unfortunately, since the decision to root or jailbreak a device is out of the hands of IT, this can pose a major threat.
The apps downloaded from third party stores may be malicious but disguised as harmless consumer applications.
Solution: Many mobile device management solutions have built-in root detection, which can identify and, if necessary, automatically wipe information from devices if they are found to be non-compliant.
However, it is good security policy both in a consumer and a business context to avoid rooting or jailbreaking the devices. If employees need to use their devices to handle corporate data, the policy against doing so should be firm. Issuing corporate owned devices to employees will keep this control in the hands of the employer.
If employees have brought in their own devices, containerisation or enterprise app stores could be a good solution to this problem. Having all corporate data and applications segmented within a container on the device means that another layer of authentication can be built around it beyond the security offered on the device.
Within the container, the company can deploy an enterprise app store which only hosts corporate-vetted and approved apps.
System containers can virtualise an entire system running on the device, while application containers segment only a single application or service.
5. Vulnerabilities
The discovery of StageFright last year was something of a watershed in Android security. The vulnerability in the Android source code could have been used by attackers to expose information by sending a simple command.
Many of these vulnerabilities exist, particularly in Android, and it can take some time for vendors to patch them. While Apple has complete control over the iOS update ecosystem, the same is not true of Android.
The update mechanism of Android is flawed from a security perspective because it is not Google that manages the security updates, it is mobile operators.
With StageFright, Google quickly issued a patch but now each of the mobile operators has to push that patch to its customers.
Solution: A strong update policy is a must-have. Patches are issued regularly to devices by vendors when they find weaknesses in the source code.
One solution is to invest in a "corporate-owned, personally enabled" model, issuing devices to the workforce and retaining control over updates centrally within the organisation.
Otherwise, telling employees to update their devices regularly if dealing with corporate data can be helpful.
There are positive signs that Android vendors are taking more ownership and control over updates as well. After StageFright was revealed, Samsung Electronics and Google both announced that they would provide monthly security updates to their devices to tackle security vulnerabilities as and when they arise.
