Mobile Security: The Impact on the Enterprise Ecosystem
Nowadays, we often hear about high-profile cyber attacks in the news regarding nation states, but what about the daily threats affecting an enterprise and their impact?
In the past, cyber security was considered an afterthought and as part of an IT problem. IT managers were given insufficient budgets to handle IT security with basic technical safeguards, such as a firewall and anti-virus software. Along with a small staff of administrators, security was deemed to be under control.
Fast-forward to 2015, the threat landscape has widened due to advances in mobile technology and the widespread adoption of mobile devices. Consequently, cyber security must be stepped-up to address this new landscape.
Enterprises have seen a growing trend away from office-based working towards more flexible, mobile working. Mobile devices such as laptops, smartphones and tablets are now commonly used by enterprises. However, many of these devices are owned by employees rather than the enterprise itself, presenting challenges with security. These challenges involve the vulnerability of corporately-owned IT infrastructure to threats imposed by mobile devices, and the exchange of corporately-owned data with these devices.
The leading activities which employees conduct on their smartphones and tablets include accessing the corporate intranet, and using email and calendar applications. Whilst smartphones are mainly used to view documents, tablets are more often used to edit these, as well as access web meetings and perform analytics.
The key benefit for an enterprise encouraging these mobility applications is business innovation, involving increased employee responsiveness and decision-making, thus resolving issues faster and increasing productivity.
However, this innovation has widened the enterprise threat landscape in the following areas:
- Employee behaviour - Unsuspecting mobile users can grant apps too many permissions, and even provide root-level access by jail-breaking their phone, whilst relying on the same device for sensitive tasks like online banking
- Genuine mobile apps - The majority of common apps on Android an iOS stores can access user data, leaving data susceptible to loss or sharing (as advertising is a primary source of revenue for many free and paid appsMalicious mobile apps - Malicious apps contain multiple forms of threats and mechanisms for self-replication. For example, the Trojan, Obad, ends messages to premium rate numbers, downloads and installs other malware, and uses Bluetooth to install itself upon other devices
- Business and personal on the same device - Many employees access corporate data from a personal smartphone or tablet, or vice-versa. Either way, users want control over the device. Considering the previous points regarding mobile apps, this puts corporate data at even further risk
- Compromised Wi-Fi hotspots - In November 2014, BBC News suggested there would be almost 50million public hotspots worldwide by the end of the year. Free Wi-Fi hotspots are available in many areas, and whilst being convenient, they are targets for exploitation. Wi-Fi-fitted trains are regularly used by employees travelling to client sites. Attackers can create spoofed Wi-Fi networks or simply connect to the same legitimate Wi-Fi which an employee is using, with session hijacking tools such as Droidsheep. Either way, corporate information and communication will flow through the attacker-controlled network device
- Phishing - Seemingly authentic emails and websites can be presented on a mobile device, deceiving vulnerable users into submitting corporate as well as personal information. As the screens on smartphones are relatively small, it can be difficult to determine the legitimacy of a URL. Phishing attempts can be made via SMS, fake websites and fake apps. Whilst phishing targets large groups of users, spear phishing is targeted at individual users. Considering the legal industry as an example, with names and contact details of partners and solicitors usually published on the firm's website, it's relatively easy to craft a convincing phishing email targeted at a specific employee
As the number of personal devices connecting to enterprise networks continues to grow, this threat landscape becomes more apparent and thus, mobile security incidents increase, as do the resulting costs. The impact of a mobile security incident involves lost or stolen corporate information, loss of reputation, loss of shareholder value, introduction of security weakness for future attacks, compliance violation and fines, cost of replacing lost or stolen devices, and of course business reputation.
As previously mentioned, employee behaviour is a significant factor in mobile security. In a survey conducted by Dimensional Research in October 2014, IT professionals were asked which group of individuals were considered to be the greatest security risk, careless employees or cyber criminals who intentionally attempt to steal corporate information. Careless employees were considered to be the greater security risk, because employees:
- Accidentally access malicious websites or download malicious content
- Lack awareness of enterprise security policies
- Intentionally ignore enterprise security policies
- Lose their mobile devices containing corporate information
The use of BYOD has been shown to increase the number of expensive security incidents. Researchers at IBM have reported that 26 of 41 Android dating apps they analysed possessed medium or high security vulnerabilities which could leave enterprises or employees open to hacking, spying or theft of sensitive data.
Securing corporate information remains the greatest security challenge faced by an enterprise in adopting a BYOD policy, followed by:
- Managing personal devices which contain both corporate and personal data and applications
- Tracking and controlling access to corporate and private networks
- Regularly updating the device operating system and applications
The costs of remediating mobile security incidents can be challenging to calculate, because an enterprise will need to consider staff time, legal fees, regulatory fines, resolution processes, and other expenses for each incident where corporate information has been lost or stolen from a mobile device.
Reducing the impact from mobile threats, as well as cutting mobile security incidents, is no easy task for an enterprise. Defence in Depth should be the adopted model for an enterprise to detect and remediate these threats, as follows:
- Determine an acceptable mobile device policy. This policy should include the types of devices permitted to access the network, employee approval processes to add their device to the network, privacy expectations, returning the devices during the leaving process, etc.
- Establish a training and awareness programme on the use of mobile devices, including the aforementioned policy
- Engage the cyber security team to determine the security settings for mobile devices
- Conduct real-time statistical and behavioural analysis, to determine malicious or abnormal behaviour between the enterprise's network and mobile devices.
- Use algorithms to detect abnormalities with mobile device configurations, installed apps, events and logs
- Set device policies to restrict or prohibit network access, and monitor the network for known vulnerabilities, for example the use of mobile anti-virus software
- Considering integrating a Mobile Device Management (MDM) system to track lost or stolen devices, remotely install enterprise approved software, remotely delete unapproved software and remotely delete corporate data from a mobile device