Enterprise IT security professionals have been concerned about lost and stolen smartphones and tablets, but a new survey conducted by SearchSecurity.com found mobile malware and data slurping apps are increasingly becoming top of mind at many organizations.
"Mobile malware has been a hyped up threat for a decade, but some of the malware we're seeing is scary enough to be of concern," said Lisa Phifer, mobile security expert and owner of Core Competence Inc., a Chester Springs, Penn.-based consulting firm that specializes in the business use of emerging Internet technologies. "If you're going to put sensitive business applications on those devices, then you would want to start taking that threat seriously."
SearchSecurity.com surveyed 487 IT security professionals in the first quarter of 2012, and found many organizations are either considering new technology to control the bring-your-own-device (BYOD) phenomenon, or are creating new security policies to address personal smartphone and tablet device use in the organization. More than half (53%) allow personal devices to connect to the corporate network and those firms are looking closely at mobile device management (MDM) platforms that can provide cross-platform security capabilities and address BYOD security risks.
The survey results suggest much of the interest in new technologies to control and lock down devices is being generated by newfound fears over application security, privacy issues, device data leakage and malware attacks, Phifer said. Researchers have documented how some mobile apps gather contact information, location data and potentially other sensitive data that could put an enterprise at risk. Other security firms are tracking the slow, but steady, rise in mobile malware – mainly SMS Trojans – targeting Android devices.
Authentication, data loss prevention, access control and encryption top the list of security technologies being implemented by organizations addressing BYOD concerns. At a minimum, organizations are seeking the capability to remotely wipe a device and the ability to force device owners to use a PIN.
Mobile malware has been a hyped up threat for a decade, but some of the malware we're seeing is scary enough to be of concern.
owner, Core Competence Inc .
Phifer said that despite the interest in MDM technology, most of the initiatives indicated in the survey can be handled without deploying new mobile security technology in the enterprise. Microsoft Exchange ActiveSync, a widely deployed synchronization protocol, can enable many organizations to enforce basic security rules, such as password management, remote wipe and encryption.
"If you are an Exchange shop and already managing Exchange settings on multiple devices, you can leverage those hooks," Phifer said. "You might not be able to satisfy all your security policies with rigor or substantial reporting, but you can do it."
Traditional security measures still work when it comes to mobile, said Marcus Carey, a malware researcher at Boston-based vulnerability management and penetration testing vendor, Rapid7. Mobile devices in general shouldn't be able to connect to regular corporate assets beyond email and calendar items, Carey said. The number of publicly available exploits targeting mobile devices is extremely low to nonexistent because cybercriminals are sticking to the lowest hanging fruit: desktops and laptops. For that reason, Carey said IT security teams are better off focusing on Web application security and vulnerability management, areas that provide a far greater risk of being targeted by cybercriminals.
"We know that people can pivot from that workstation to the rest of the network via several different kinds of attack methods, but a mobile device attack leading to an enterprise compromise is just not happening at this time," Carey said "We're talking about a very, very small attack surface."
MDM offers peace of mind, greater device control
Mobile security survey
Survey results: Audio slideshow of the SearchSecurity.com 2012 enterprise mobile security survey.
Mobile device security policies should be revisited and revised often: A survey by SearchSecurity.com shows that 64% of companies have a written mobile device security policy.
Smartphone, BYOD security risks fuel interest in MDM platforms, survey finds: Device loss tops a growing list of concerns, but the potential for malware and data leakage fuels interest in platforms to control personal devices.
Looking for peace of mind, IT teams at organizations are taking a closer look at MDM platforms because they provide more robust management capabilities. For example, some MDM platforms provide organizations with the ability to create closely monitored mobile application stores, giving employees access to only company-approved applications. But SearchSecurity.com found the capability was largely unused, with 85% of those surveyed indicating their organization was not building an application store. Software security is becoming a major initiative, with 86% of those surveyed indicating their organization is putting more resources into application security.
Phifer called the application security focus a positive finding, but thought it was puzzling because so far most mobile experts haven't seen an increase in enterprises making a strategic investment into enterprise application development to build custom mobile applications.
There is a tendency for enterprise IT teams to put the cart before the horse, Phifer said. Many firms often implement technology to address a security concern without conducting an assessment or communicating a set of formal security policies to employees, she said. Of those surveyed, 64% indicated their company had a written mobile device security policy. Of those that do have formal policies in place, 81% require users to read and sign a mobile device security policy. The high number could indicate organizations that have MDM systems in place. When enrolling devices, it is not uncommon for the system to display the formal mobile security policies to employees enrolling their devices. MDM systems often prompt end users to confirm they have read and understand the policies, she said.