Manage Learn to apply best practices and optimize your operations.

Three mobile security threats IT should know

When it comes to mobile security threats, IT has more to deal with than just risky, malicious apps.

Malware outbreaks might make for fantastic headlines, but mobile malware is just one of several mobile security threats IT must confront.

Lost or stolen devices and misconfigured or snoopy applications represent the majority of mobile device breaches. Still, this doesn't mean enterprises should ignore mobile malware. Assessing all three of the following threat trends can help you take a risk-based approach to safeguarding corporate-provided or employee-owned mobile devices in the enterprise.

Device loss and theft

Smartphones and tablets are easy prey for snatch-and-grab criminals, and many more mobile devices simply go missing. With pervasive mobility, device loss and theft rates continue to grow, escalating the associated risk to any business data stored on those devices. According to Verizon's latest Data Breach Investigations Report, 15.3% of all data breach incidents are now reportedly due to physical theft or loss -- including that of mobile devices.

Fortunately, fundamental measures are readily available on all mobile platforms to counter this threat. For example, Google Android 5.0 finally mandates hardware support for stored data encryption, although users can still disable this essential safeguard. Apple iOS 7 introduced a kill switch to render stolen iPhones and iPads worthless. In iOS 8, Activation Lock is enabled by default, strengthening out-of-the-box defenses against data breaches due to device loss or theft.

Leaky apps on the rise

The majority of mobile security breaches through 2017 will be the result of mobile app misconfigurations, rather than explicit attacks on devices, according to Gartner Inc. For example, many mobile apps auto-synchronize data with personal cloud services, such as Apple iCloud or Microsoft OneDrive. Unless IT blocks this syncing, or even bans those kinds of cloud services, these apps can easily leak enterprise data to public clouds unbeknownst to employees or employers.

In addition, a growing number of mobile apps request permissions and gather data they simply don't need. Many of the free apps in Google Play contain adware, software that endangers privacy by capturing information, such as device-unique IDs, location, contacts and more. Most often hidden within personalization or gaming apps, even relatively benign adware can slow down a mobile device, trigger accidental Web requests and leak personal or enterprise data.

Enterprises can take various steps to mitigate this threat. IT can disable the installation of repackaged apps from unauthorized app stores and should make sure to assess the reputation of mobile apps used for business. Another way to isolate enterprise data is by using containerized apps or storage. It may be impossible to prevent all leaky apps, but enterprises can use careful app management to control the flow of business data between mobile apps and across mobile networks.

Mobile malware isn't just for Android

Over the past few years, malware writers have largely focused on Android because it is the top-selling mobile OS worldwide and the dominant OS on personal smartphones. However, as employees increasingly use mobile devices for business, criminals are likely to refocus on malware aimed at enterprise assets.

Criminals are likely to refocus on malware aimed at enterprise assets.

According to San Francisco-based cybersecurity analysis firm Lookout Inc., today's Android security threats consist of increasingly more sophisticated malware attacks and OS exploits that compromise devices and networks. To make matters worse, many Android devices run older versions of Android that are vulnerable to Android Open Source Project browser or MasterKey exploits that give criminals free reign over compromised devices.

Many enterprises consider iOS immune to malware, but this is simply untrue. For example, Lookout reports that WireLurker and XAgent "surveillanceware" are exploiting enterprise app provisioning methods and installing malware on iPhones and iPads, bypassing Apple's tightly curated App Store. In addition, iOS malware has long targeted jailbroken devices, which install bad apps from alternative sources, such as the Cydia directory.

Even if mobile malware isn't yet a major concern for enterprises, a few basic countermeasures can go a long way. Disabling sideloading of Android apps, monitoring and quarantining jailbroken or rooted devices, establishing minimum OS versions, and keeping devices and apps up-to-date can deter most of today's mobile malware threats. And that will establish a solid foundation for addressing emerging threats that will no doubt follow tomorrow.

Next Steps

Android man-in-the-middle attacks

What works and what doesn't in mobile security

What mobile security lacks

Is antimalware protection necessary for mobile security?

This was last published in September 2015

PRO+

Content

Find more PRO+ content and other member only offers, here.

Essential Guide

Lock down mobile data protection for your enterprise

Join the conversation

4 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What is your organization doing to combat the latest mobile threat trends?
Cancel
All three of these trends pose threats to mobile security for organizations. Device loss and theft is perhaps the one that is most easily addressed because steps can easily be taken across the enterprise to protect company data. For example, FinalCode provides the ability for access control and file encryption, allowing a company to relatively easily implement both. Leaky apps and mobile malware, on the other hand, prove much more difficult to control because, unless a policy is strictly enforced, users will circumvent those policies to use their devices when, where, and how they want to use them for.
Cancel
This is why IT must be proactively on top of all security, including security related to mobile devices. Here's a good blog that describes BYOD security risks and how to mitigate them: http://bit.ly/5JJYKZA
--KB

Karen J. Bannan, commenting on behalf of IDG and Dell
Cancel
With the world focusing on mobility and digitization, mobile security seems like an endless tom & jerry fight. Its an on and off process. Honestly, nothing in this world is fully secured, leave alone our personal data and bank/credit card information. It isn’t that developers and companies aren’t aware of the situation and future consequences. It is just that they haven’t been able to come to an effective and substantial solution for the same.

At appknox we offer peace of mind to enterprises and the developers who create and maintain apps by doing regular security audits of their work, and alerting them to new vulnerabilities as they arise.
Cancel

-ADS BY GOOGLE

SearchNetworking

SearchTelecom

SearchUnifiedCommunications

SearchSecurity

Close