The 'Ostrich Approach' Won't Work with Mobile Malware

Chris Doggett, Managing Director, Kaspersky Lab North America
738
1325
250
Chris Doggett, Managing Director, Kaspersky Lab North America

Chris Doggett, Managing Director, Kaspersky Lab North America

It’s no secret that employees have a growing dependency on using mobile devices to access corporate information of all kinds. With employees working from home and/or other locations more frequently, it’s clear that mobility and BYOD are here to stay. And as with any new trend in technology that goes mainstream, cybercriminal activity soon follows, eventually in equal measure. The recent rise in mobile malware is now following a basic law in cybersecurity: the more vulnerable a system is and the more people use it, the more attractive it is for hackers to attack. We can easily see yet another proof point of this with mobile malware: because mobile devices are so pervasive, we’re now seeing huge growth rates in mobile malware, and because Android-based systems are so relatively easy to hack, upwards of 98 percent of mobile malware is targeting them.

A recent report from Gartner shows a decline in PC shipments from the first quarter of 2014, another proof point that mobile computing is overtaking the traditional PC market. At the same time, a recent re­port by Lookout shows that in the U.S. the number of Android users who encountered malware grew 75 per­cent in 2014 from 2013. That is an alarming number and industry experts expect to see that number grow even higher. This paints a grim picture: attacks on mo­bile systems are likely to become much, much worse. As more and more employees have on-the-go access to sensitive corporate information through their mobile devices, including sensitive information about customers, financial information and intellectual property the value to cybercriminals of hacking them goes up. Couple that with the cur­rently large number of vulnerabilities present in many apps and systems and the growing number of mobile malware tools to exploit them, and you can see that businesses are facing a very real and present danger.

The weakest links in IT security are, and always have been, the user base. This is evident in the continued popularity of phishing attacks and social engineering tactics. A March 2015 report by the Anti-Phishing Work­ing Group (APWG) shows that the num­ber of unique phishing reports submitted to APWG during Q3 2014 was 163,333. Additionally, through the first eleven months of 2014, spam volume increased 250 percent year over year according to Cisco’s data. The threats that businesses face are clear and they’re growing rapid­ly. What’s less clear, however, is training methods and education for employees who use mobile technology. With so many employees taking corporate infor­mation on the road the risk is there, but when was the last time you heard of a company training their employees about good security practices when using mo­bile systems? A report by Ponemon explores the security impact of mobile device use by employees and shows that only 20 percent of respondents say they have received training on the security of mobile content access and manage­ment in the workplace. This is stagger­ing considering the number of employees currently using mobile devices to access sensitive corporate information. This lack of education and training is a gold­mine for cybercriminals who will always go after the easiest, weakest link—in this case, employees.

The weakest links in IT security are, and always have been, the user base

The increasing volume and sophisti­cation of mobile security threats present serious challenges for businesses of all sizes. Mobile devices and the apps and data they store must be protected. What are some technologies companies should consider regarding mobile device protec­tion?

One important tool for companies to protect sensitive data is encryption. If an employee is working remotely and their laptop is lost or stolen, or if their phone or tablet gets infected with malware, unen­crypted customer information can lead to crippling fines from regulatory agencies, and equally bad, a loss of trust from cus­tomers. “Containerization” of corporate data coupled with encryption will help prevent it from being viewed and shared during the first few hours of being lost or stolen (at least).

Another feature for strong security with stolen devices is anti-theft technol­ogy that can be operated remotely by the administrator to block access and to wipe corporate data from the device so that the bad guys can’t access sensitive informa­tion even with unlimited time and fully physical control of the device.

And of course there is the most fun­damental layer of protection of all: an­ti-malware technology. This is such a “given” these days that it is almost as­sumed. But surprisingly enough, most mobile systems being used today aren’t equipped with it. For the platforms that are at the highest risk (such as Android), there are excellent anti-malware technol­ogies readily available, we simply need to begin using them.

Finally, educating the user base is extremely important and, as I mentioned earlier, a step that unfortunately is often times not executed properly, or worse, completely overlooked. User education should ideally be consistent and timely. All employees should receive the same training, as well as frequent follow-ups to ensure they have the most updated information. Furthermore, a corporate IT department should be communica­tive regarding updates, outages, possible breaches, etc. so that all employees have the vital information that directly affects network security.

In light of how common the BYOD approach is used, organizations should also establish guidelines for employees on the proper, secure access of corporate information on mobile devices. This is an imperative step to make employees aware of the risks and the responsibili­ties that come with accessing corporate information on their mobile devices, and will provide standards, procedures and restrictions on the acceptable use of mobile devices to access corpo­rate information. The policy should also provide the ability to enforce the use of strong passwords and block danger­ous apps along with downloading from untrusted sources (a.k.a. “sideloading”).

While the mobile threat landscape contin­ues to rapidly evolve and expand, there are several steps—including technologies, education and communication—that companies can take to help mitigate the risks their employees face, while access­ing corporate data on the go. In addition, industry events and conference such as RSA and publications are helping to ed­ucate businesses and consumers to the most prevalent IT security risks. These are the types of conversations and knowl­edge-sharing which truly help to stay a step ahead of the bad guys and protect what matters most to us.

And one thing for sure is that we can’t afford to ignore the risks in the mobile world any longer; the “ostrich approach” simply won’t protect us from the bad guys, in fact they’ll look for those of us with our heads in the sand.

Read Also

Today's Threat Landscape Requires Adaptive Security

Today's Threat Landscape Requires Adaptive Security

Dan Joe Barry, VP Positioning and Chief Evangelist, Napatech
Staying Abreast of Application Development and Delivery

Staying Abreast of Application Development and Delivery

James F. Bal, CISSP, GICSP ,CISO, Western Area Power Administration
Combating Fraudulent Pecuniary Transactions

Combating Fraudulent Pecuniary Transactions

Jason Witty, SVP & CISO, U.S. Bank [NYSE:USB]