Today, employees and organizations want more flexibility and work life balance. They want to work any time, anywhere. But they also want privacy and information security, at a time when cyber crime is a growing concern.
According to Mobile Security and Risk Review, Second Edition (Q2 2016), published by MobileIron, mobile threats are increasing, due to lax security practices of public and private organizations. MobileIron’s lead architect, James Plouffe, in an interview, said organizations are “alarmingly complacent” regarding their information security. “The velocity of mobile attacks is increasing, but the latest data shows that enterprises are still not doing the things they could be to protect themselves.”
Organizations and their employees can reduce the mobile threat using three strategies.
1) Secure Mobile Phone Operating Systems
The longer an operating system is on the market, the more vulnerable it is. Today, criminals use mobile phone malware to track a user’s location, take over cameras and access any stored data like text messages, contact lists, photographs and passwords. Android phones currently account for 96% of malware attacks because they are more open and less controlled.
Telco carriers and manufacturers need to tweak each installation and customize each phone model. This delays OS updates. According to Marc Goodman, author of Future Crimes, most Android users do not have up-to-date device patching for the newest OS. Goodman says that if Android users upgraded to the latest version of their mobile phone operating system, 77% of security threats could be eliminated. Criminals look for security by targeting such users. Security firm Symantec predicts that malware threats targeted at Apple will increase in 2016 due to the popularity of the devices.
2) Use Reputation or Mobile Threat Prevention tools
Both Google and Apple stores have more than one millions apps available. According the MobileIron’s Q4, 2015 report (Mobile Security and Risk Review), less than 5% of enterprises have deployed an App Reputation or Mobile Threat Prevention solution. They help to reduce risky and malicious apps and other device vulnerabilities.
Additionally, EMM (Enterprise mobility management) apps provide data monitoring and cloud access features to further minimize data leakage. Goodman writes that by 2013, more than 42,000 apps in Google’s store we identified as having spyware and information-stealing Trojan programs.
Recent mobile attacks include:
- Android GMBot – remotely controls infected devices and tricks victims into entering banking info.
- AceDeceiver iOS malware – intended to steal a person’s Apple ID. Release to app store in late 2015, disguised as wallpaper.
- SideStepper iOS “vulnerability” – sidesteps the normal app approval process by tricking user into installing a malicious configuration profile.
- Marcher Android malware – mimics bank web websites and tricks users into entering login information through ecommerce websites.
- XcodeGhost – a variant of malware that steals device and user information.
3) Educate staff about importance of mobile compliance requirements
The weakest link between a cyber criminal and their organization is an employee who unknowingly compromises their device. Companies need to better communicate consequences of a data breach when compliance requirements are not followed.
An out of compliance or compromised mobile device costs companies more when a data breach occurs. According to a survey done by the Ponemon Institute in 12 countries, the average cost of a data breach is $4 million, 29% higher than 2013.
MobileIron reports that 40% of companies had missing devices in early 2016. Missing devices include stolen, lost, not in use or turned off devices for an extended period of time. The typical resolution for a missing device is to determine the actual reason for an inactive device as soon as possible. If the device is lost or stolen, it must be quarantined.
Out of Date Policies
Out of date policies occur when IT administrators changes a policy that does not propagate to an end user device. Companies with out of date policies increased from 20% in Q4 2015 to 27% in Q2 2016. When an employee device has an out of date policy, it should have restricted use until resolved.
Don’t delete Enterprise Mobility Management app
As mentioned, EMM apps help monitor information and safeguard threats. According to MobileIron, the incidence where a company’s EMM app was removed for various reasons for one more devices rose from 5% in Q4 2015 to 26% in Q2 2016.
The number of global mobile phone users is forecast to reach 4.77 billion in 2017. The opportunity is clear for criminals to target users and organizations with lax security standards. Organizations and employees must remain vigilant and follow security strategies that maximize their privacy and data protection.