Top Risks of Enterprise Mobility
Employees aren’t just bringing their mobile devices to the workplace — they’re living on them. A 2015 study by Bank of America found that 55 percent of respondents sleep with their smartphones on their nightstands to avoid missing a call, text message or other update during the night. The devices are also the first thing on their minds in the morning: while 10 percent reported thinking of their significant other, 35 percent reserved their first thought of the day for their smartphone.
As smartphones and tablets become constant companions, cyber attackers are using every avenue available to break into them. Many people expect that iPhone or Android devices are secure by default, when in reality it is up to the user to make security configuration changes. With the right (inexpensive) equipment, hackers can gain access to a nearby mobile device in less than 30 seconds and either mirror the device and see everything on it, or install malware that will enable them to siphon data from it at their leisure.
The nature and types of cyber-attacks are evolving rapidly, and mobile devices have become a critical part of enterprise cyber-security efforts with good reason. Analysts predict that by 2018, 25 percent of corporate data will completely bypass perimeter security and flow directly from mobile devices to the cloud. Chief information security officers (CISOs) and other security executives are finding that the proliferation of mobile devices and cloud services present a significant barrier to effective breach response. In order to secure the corporate data passing through or residing on mobile devices, it is imperative to fully understand the issues they present.
- Physical access
Mobile devices are small, easily portable and extremely lightweight. While their diminutive size makes them ideal travel companions, it also makes them easy to steal or leave behind in airports, airplanes or taxicabs. As with more traditional devices, physical access to a mobile device equals “game over.” The cleverest intrusion-detection system and best anti-virus software are useless against a malicious person with physical access. Circumventing a password or lock is a trivial task for a seasoned attacker, and even encrypted data can be accessed. This may include not only corporate data found in the device, but also passwords residing in places like the iPhone Keychain, which could grant access to corporate services such as email and virtual private network (VPN). To make matters worse, full removal of data is not possible using a device’s built-in factory reset or by re-flashing the operating system. Forensic data retrieval software — which is available to the general public — allows data to be recovered from phones and other mobile devices even after it has been manually deleted or undergone a reset.
- Bad Password
It’s likely that you already protect remote access with multi-factor authentication (by requiring a secure VPN with token authentication, for instance). This is a very smart idea as time and time again we’ve seen that people don’t choose good passwords, and they also re-use them across systems.
But have you thought about how your users access email on their mobile devices? If they only need to type a password in order to access email anywhere, then so can an attacker who guesses that password. Why would a bad guy bother to attack a VPN if he can just guess a poor password to an email account and then, masquerading as that person, ask for the information he wants? So make sure you enforce a strong password policy across the business and teach employees how to pick a proper password
- Malicious Code
Mobile malware threats are typically socially engineered and focus on tricking the user into accepting what the hacker is selling. The most prolific include spam, weaponized links on social networking sites and rogue applications. While mobile users are not yet subject to the same drive-by downloads that PC users face, mobile ads are increasingly being used as part of many attacks — a concept known as “malvertising.” Android devices are the biggest targets, as they are widely used and easy to develop software for. Mobile malware Trojans designed to steal data can operate over either the mobile phone network or any connected Wi-Fi network. They are often sent via SMS (text message); once the user clicks on a link in the message, the Trojan is delivered by way of an application, where it is then free to spread to other devices. When these applications transmit their information over mobile phone networks, they present a large information gap that is difficult to overcome in a corporate environment.
- Heterogeneous Environment
Unlike traditional endpoints, mobile devices represent a motley collection of appliances and operating systems. To make matters worse, employees often use multiple devices, which may or may not be owned by the company. In fact, according to Forrester, 53 percent of information workers now use three or more devices for work, and 95 percent of organizations allow the use of employee-owned devices in some form. Crucial security measures to manage these challenges include applying consistent policies across mobile operating systems and separating personal and corporate data.
- Device Attacks
Attacks targeted at the device itself are similar to the PC attacks of the past. Browser-based attacks, buffer overflow exploitations and other attacks are possible. The short message service (SMS) and multimedia message service (MMS) offered on mobile devices afford additional avenues to hackers. Device attacks are typically designed to either gain control of the device and access data, or to attempt a distributed denial of service (DDoS).
- Communication Interception
Wi-Fi-enabled smartphones are susceptible to the same attacks that affect other Wi-Fi-capable devices. The technology to hack into wireless networks is readily available, and much of it is accessible online, making Wi-Fi hacking and man-in-the-middle (MITM) attacks easy to perform. Cellular data transmission can also be intercepted and decrypted. Hackers can exploit weaknesses in these Wi-Fi and cellular data protocols to eavesdrop on data transmission, or to hijack users’ sessions for online services, including web-based email. For companies with workers who use free Wi-Fi hot spot services, the stakes are high. While losing a personal social networking login may be inconvenient, people logging on to enterprise systems may be giving hackers access to an entire corporate database.
- Insider Threats
Mobile devices can also facilitate threats from employees and other insiders. Malicious insiders can use a smartphone to misuse or misappropriate data by downloading large amounts of corporate information to the device’s secure digital (SD) flash memory card, or by using the device to transmit data via email services to external accounts, circumventing even robust monitoring technologies such as data loss prevention (DLP). The downloading of applications can also lead to unintentional threats. Most people download applications from app stores and use mobile applications that can access enterprise assets without any idea of who developed the application, how good it is, or whether there is a threat vector through the application right back to the corporate network. The misuse of personal cloud services through mobile applications is another issue; when used to convey enterprise data, these applications can lead to data leaks that the organization remains entirely unaware of.
- Old Devices
In the smartphone world, old doesn’t mean years. In fact, it’s even possible to buy a brand new device which is, at the same time, too old to receive security updates. Phones, just like workstations, need to be patched with the latest security updates. When a vendor stops patching, the risk of being compromised increases rapidly and forever more. Everyone knows they shouldn’t run Windows XP anymore but the danger posed by out-of-date smartphones is exactly the same. Make sure that your IT department understands the risks, and enforce a policy of requiring operating system versions that are likely to be actively maintained for the expected life of the device.
- Unlocked Phones
Many organisations have a screen-lock policy which ensures that workstations left idle will lock themselves. Unfortunately, some of the same organisations neglect to implement a similar policy on their company phones. Lock screens stop somebody with physical access to your phone from using it, whether they’re a thief, a corporate spy or your own child benignly tweeting nonsense to your company’s Twitter followers. Adopt a policy that makes lock screens and short idle times mandatory.
10. Loss and Theft
Small and portable devices are vulnerable to loss and theft. 3.1 million smartphones were stolen in 2013, nearly twice as many as in 2012. In addition, eight out of ten finders of lost devices were found to have tried to access corporate information on the device. To protect lost or stolen devices, enforce password policies for devices and apps using multi-factor authentication. Provide seamless access to corporate apps and resources with certificates and single sign-on. Encrypt corporate apps and data so they’re protected even if the device is compromised. Finally, employ full or selective device wipe.
Mobile device threats are increasing and can result in data loss, security breaches and regulatory compliance violations. You can take a number of steps to reduce the risks they pose and address related productivity issues and legal, privacy, and security requirements. With well-supported mobility and security awareness programs in place, your organization can keep users happy and your network secure, so you can compete effectively in today’s mobile-first environment.