Mobile Security is not in a Complacent State
By Jonathan Andresen, Senior Director, Products & Marketing, Asia-Pacific & Japan, MobileIron
It’s not just new types of mobile attacks that are emerging every day, such as the recent Pegasus iOS zero-day exploit, but the velocity of attacks is also increasing. Even though most attacks re-use old tactics against mobile-specific services rather than employing new innovative techniques to exploiting new vulnerabilities, enterprises are still caught off guard.
At the recent Black Hat USA 2016, the second edition of ‘Mobile Security and Risk Review’ published by MobileIron unearthed some alarming truths in the enterprise industry. Less than 5% of the companies surveyed use App Reputation or Mobile Threat Detection software, and only 8% are enforcing OS updates. In other words, most of the devices used for work are vulnerable, if not compromised.
“ Enterprise Mobility Management (EMM) has come a long way in a short amount of time and is now simpler than ever to implement ”
Of course, there are understandable challenges with the adoption of mobility. It includes balancing with the users’ desire to access easy-to-use consumer apps along with the need to control access to corporate data. And so enterprises simply block the riskier applications, such as Evernote and Line, both of which joined the top 10 most blacklisted consumer apps by corporate IT departments.
Regulated industries and governments face even more challenges. Stringent security requirements make it hard for them to keep up with the dizzying pace of mobile technologies.
Extended and more rigorous approval and procurement processes leave government organisations with older technology which in turn leaves them with more non-compliant devices, missing devices and EMMsoftware, and out-of-date policies that don’t match user requirements. Let’s face it: users are already Mobile First, while most IT departments still think of mobility as a secondary priority to their PC strategy.
These are the mobile attacks that have either emerged or worsened in the last six months:
- Pegasus: a serious and sophisticated new type of attack that leverages three vulnerabilities in iOS software, known as Trident, to allow cybercriminals to install spyware on your device.
- Android GMBot: Spyware that remotely controls infected devices in order to trick victims into providing their bank credentials.
- AceDeceiver iOS malware: Designed to steal a person’s Apple ID.
- SideStepper iOS “vulnerability” : Was discovered to intercept and manipulate traffic between an MDM server and a managed device.
- High-severity OpenSSL issues: Vulnerabilities that can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion.
- Marcher Android malware: Evolved to mimic bank web pages that trick users into entering their login information through e-commerce web sites.
Security incidents are often the precursor to a breach because they leave a device or app vulnerable and then put enterprise data at risk.
In general, enterprises have not yet significantly changed their mobile security practices in the face of these new threats to their corporate data. Aside from not enforcing updates or deploying the right software, there was also an increase in the number of employee compliance incidents. Forty percent of companies had missing devices, up from 33% in Q4 2015. And more than 25% of companies had out-of-date policies, an increase of 20% since last year. Such incidents are typically a precursor to an actual security breach.
While embracing mobility appears tough, it’s actually quite simple with the right combination of technology and user education. By staying engaged with app trends, Enterprises can possibly have our cake and eat it too. The existence of enterprise versions of apps like Box, Dropbox and Evernote can give employees the Enterprise features and the experience they want while staying secure, as long as there is a layer of trust and security at the device, application and user level, a win-win for both sides.
There’s little reason in today’s climate to ignore mobile security. Enterprise Mobility Management (EMM) has come a long way in a short amount of time, and is now simpler than ever to implement. EMM solutions are readily available to provide enterprises with the fundamental tools to mitigate these risks while empowering an increasingly mobile workforce. You can have it all – rigorous data protection, increased productivity and business outcomes, and happy employees too. Can you imagine that?