96%. According to a report from market and technology firm Canalys, that’s how many mobile devices don’t have any security software installed. For companies that are increasingly relying on smart phones and tablets to do business, that number should be absolutely terrifying. Especially given that according to some reports, as many as 65% of IT professionals allow personal mobile devices to connect to internal corporate networks. Mobile devices have made doing business significantly easier for many businesses, but they have brought with them a serious security threat that many in the IT world don’t think is being addressed quickly enough.
One of the big challenges in assessing and containing risk is the sheer variety of threats that mobile devices are open to. Of course, there is the traditional malware threat: according to tech security firm Kaspersky, 2012 saw over 14,900 new pieces of malware targeted at Android devices. This marks a three-fold increase over 2011, although some companies like F-Secure disagree about the doomsday figures. Even with the much more tame figures, F-Secure still found a 64% increase in the total number of malicious Android files. Many of these threats came from websites users visited on their mobile phone, and many more masqueraded as legitimate apps in the App Store.
Then there are phone-specific issues. For instance, a flaw in iOS allowed hackers to spoof SMS messages to masquerade as financial institutions or co-workers and request access to sensitive information. And this is not even getting into the very real threat of lost or stolen devices that have sensitive business data on them, a growing threat, or the very real threat of data interception during routine procedures like transferring data from one phone to another at cell phone stores.
The problem is becoming so prevalent, in fact, that the Federal Government is having severe issues securing their own devices. The Government Accountability Office (GAO) released a call in September urging federal agencies and cell phone carriers and manufacturers to create a mobile security baseline. Some of the key mobile security concerns deal specifically with problems faced by Government employees. For example, applications and standards need Federal approval before an agency can use them on their devices. Unfortunately, this approval takes months, and sometimes years, and has difficulty keeping pace with the changes in technology. The Chief Information Officers’ Council, a cross-agency working group aiming to modernize government, is working in conjunction with agencies to try to speed up the process. Still, application approval is slow, and is compounded by the rapid pace of development. Companies seeking to build security technology, like hardware encryption modules, are constantly fighting against the rush of newer, faster devices.
Still, there are some simple steps and precautions that any company can take to try and minimize the threat of mobile security breaches.
- Make sure that your company has a mobile security and BYOD policy (if you allow BYOD). More importantly, make sure that your employees know what those policies are and what they need to do to be compliant. A report from Globo, for instance, revealed that as many as 91% of employees don’t know whether their organizations even have a BYOD security policy.
- Run frequent device audits. It’s not enough to mandate mobile security policies. Mobile devices are much more difficult to track and monitor than traditional desktops and even laptops, so a schedule of regular and surprise policy audits are a must. IT staff should check to make sure that there are no unapproved apps installed, that all security features are active and actively being used, and that apps and OSes remain up-to-date.
- Require full data encryption at all times. The risk of a smartphone or tablet being stolen are higher than ever, and company data can easily be pulled off of the device. Simple password locking or other native features can help slow down casual thieves, but will not protect your data from a dedicated attacker. A third-party data encryption program will keep proprietary and confidential data much safer.
- Have a data wipe policy in place. Many third-party security apps allow you to set up conditions that will cause the phone to completely wipe all data. These conditions can be anything from multiple failed login attempts to a failure to communicate with the corporate network in a given time frame. Similarly, all company devices should have a remote wipe feature that can let you initiate a full device wipe the minute an employee reports the phone lost or stolen.
- Don’t allow unauthorized service. Pick a service provider that you trust to perform all service on phones, and set policies preventing employees from getting any work done anywhere else. Make sure that these policies explicitly include “authorized service locations” and carrier/manufacturer-run shops and kiosks.