Maintaining Security for a Mobile World Part 1:
The new tech-savvy generation currently live an extremely connected life and vulnerable to security threats and thus have introduced new approaches to work including mobile and email which have become an integral part of everyday work. Mobile computing and the ability to access email and business documents ‘anytime anywhere’ is now essential for all business. This 24/7 BYOD (Bring Your Own Device) workplace trend is not going to change because it increases employee productivity and gives businesses a competitive edge. According to a report published by IDC, the U.S. mobile workforce will surpass 105 million by 2020, which is about 72.3% of the U.S. workforce. According to Citrix research, companies urgently need to make provisions for the ever increasing mobile workforce as the average employee uses over three or more mobile devices for work activities and nearly 61% of employees spend some time working outside the office. With employees, vendors, and partners file sharing and collaborating on multiple mobile devices, ensuring the security and confidentiality of company data has become a nightmare.
The diversified way of working and proliferation of mobile devices and cloud services has made secure backup, quick recovery, sharing of data, and an effective breach response more difficult. Security analysts have predicted that by 2018 nearly 25% of corporate data will completely evade perimeter security and move directly from mobile devices to the cloud. The reputational damage from a data breach for a business can be massive, especially if the public perceive it as a preventable data breach. Companies find it hard to repair their reputation, recover their sales or even attract new customers. In this article we help you identify areas of security risk associated with diverse mobile devices.
Security Risks Of Mobility
According to Gartner, the focus of endpoint breeches will shift to tablets and smartphones by 2017. The ratio of attacks of mobile devices to desktop attacks is already 3 to 1. The major security threat and attack vectors for mobile devices can be categorized into five broad areas.
- Physical access
The portability and size of mobile devices make them ideal to carry around and it also makes them easy to steal or leave behind in airports, cafes or taxicabs. Theft or loss of smartphones is the biggest security risk for any business. Having physical access to a mobile device makes it easy for a criminal with malicious intent to circumvent the cleverest intrusion-detection system and also to access encrypted data. It is possible to recover data from mobile devices even when it has been manually deleted or undergone a full factory reset using forensic data retrieval software. Having some sort of password protection can limit the damage and cost of losing a phone so all staff should ensure that their mobile device has password protection and they should also have further passwords for access to important applications. Companies should also use remote control software to delete files or even disable the phone permanently in case of loss or theft.
Mobile malware Trojans are being designed to harvest passwords, steal sensitive data, and other important financial information over the mobile phone network or any connected Wi-Fi network. These are spread through bad links in SMS’s and by way of applications, where they are then free to spread to other devices. Mobile malware security threats are generally socially engineered to trick the user into clicking on malicious links with infected malware through email, on social networking sites, and rogue applications. Even mobile ads or ‘malvertising’ and suspicious downloads are increasingly being used as part of many attacks to spread viruses. There has also been an increase in browser-based attacks, distributed denial of service, and buffer overflow exploitations to gain control of the mobile device to access data.
- Infected Apps
Employees often download and use apps to help with business tasks but most of them often do not even meet minimum security requirements. Developers are concerned with the functionality of the applications but not the application security. Therefore cybercriminals find unsecured apps an easy attack vector to breach mobile devices and to access enterprise assets. Gartner found out that by 2017 nearly 75% of security breaches will be the result of mis-configured apps.
- Interception On Unsecured Networks
Smartphones are susceptible to Wi-Fi hacking and man-in-the-middle (MITM) attacks. Hackers can easily set up rogue Wi-Fi networks to trap people logging onto them to intercept, redirect, and even decrypt cellular data transmission. Weaknesses in Wi-Fi hot spot services and mobile data protocols are being used regularly to hijack users’ sessions for online services, including web-based email. Employees logging on to enterprise systems from these unsecured networks may be giving hackers access to the entire corporate database. Wi-Fi access should be used with caution by all staff. To avoid this potential risk enterprises could invest in unlimited data contracts for their staff so that they never have to use any open access points.
- Insider Security Threats
Company data is even at risk through employees and other malicious insiders. They can use mobile devices to misuse or misappropriate data by downloading sensitive corporate information to the device’s flash memory card, or by using email services to transmit data to external accounts and even by eluding data loss prevention (DLP) technologies. Anyone with criminal intent can also misuse personal cloud services through mobile applications to transfer enterprise data leading to data leaks that the enterprise may be totally unaware of.
Meeting the Mobility Challenge
Managing this increased risk from different security threat vectors, while empowering employees and respecting their privacy can be a daunting challenge. In the next blog article, we will share with you simple measures your organization can take to successfully secure your mobile workforce, protect your enterprise network and corporate data.