Mobile malware may capture the bulk of the news headlines regarding enterprise mobile security, but the threat of data leakage and device loss and theft may be just as, if not more, important.
From a cybercriminal perspective, smartphones are not a very good attack vector at this time.
security researcher, Rapid7
These were among the chief concerns of respondents to SearchSecurity.com's 2012 enterprise mobile security survey, which was conducted in the second quarter of 2012. The survey, which polled 487 IT security professionals and IT managers, tackled a variety of issues, including bring your own device (BYOD) concerns, mobile policy issues and ongoing mobile security initiatives.
Mobile device theft and loss were listed among the top five enterprise mobile security issues. Application security and mobile malware also added to concerns over data leakage.
Below is a recap of the top five mobile security concerns as indicated by survey respondents, and reaction from industry observers.
1. Device loss: This scenario, involving something as common as an employee tablet or smartphone accidentally left in a taxi cab or at a restaurant, was the top concern of survey respondents. It may be driving the adoption of additional mobile security technolog, such as mobile device management (MDM) platforms, designed to add certain security controls on mobile devices regardless of their platform.
The finding does not surprise Marcus Carey, a security researcher at Boston-based compliance auditing firm Rapid7 Inc., who said it reflects what has been happening at enterprises for years. Lost or stolen laptops containing sensitive data, such as customer information or corporate intellectual property, Carey said, have led to many high-profile data security breaches.
2. Application security: Security researchers have been warning about mobile apps that request too many privileges, enabling them to tap into various data sources on the device. Free mobile apps and even some paid apps are built with ties to advertising networks, which makes contacts, browsing history and geolocation data extremely valuable to application developers, said Domingo Guerra, president and co-founder of San Francisco-based Appthority Inc.
From the editors: More from the 2012 mobile security survey
Check out more coverage, analysis and even a comprehensive audio slideshow detailing the results of the SearchSecurity.com 2012 enterprise mobile security survey.
Mobile application privacy and security, Guerra said, is an increasing concern. "Developers want to monetize, consumers want free apps and then ad networks will pay developers to get all of that juicy data from their users."
Survey respondents indicated that leaked corporate contacts, calendar items and even the location of certain executives could put the company at a competitive disadvantage. Another concern is malicious or Trojanized applications, which have appeared mainly on third-party Android markets, which are designed to look like they perform normally, but secretly upload sensitive data to a remote server.
3. Device data leakage: Nearly all of the chief concerns identified in the mobile security survey, from data loss and theft to malicious applications and mobile malware, snowball into a serious concern about data leakage. Enterprise CISOs, IT security teams and administrators in charge of mobile security at the enterprise say they want to gain some control and visibility over the influx of personally owned devices connecting to the corporate network.
While most corporate access privileges on mobile devices remain limited to calendar items and email, new mobile business applications can tap into a variety of sources if the enterprise accepts the risks, said Lisa Phifer, mobile security expert and owner of Core Competence Inc., a Chester Springs, Penn.-based consulting firm that specializes in the business use of emerging Internet technologies. Increased corporate data on devices increases the draw of cybercriminals who can target both the device and the back-end systems they tap into with mobile malware, Phifer said. "If you're going to put sensitive business applications on those devices, then you would want to start taking that threat seriously."
4. Malware attacks: Survey respondents said the threat of mobile malware poses a serious concern. It's a slow-growing problem, though most security experts agree that the threat has been largely overstated. Less than 2% of all global malware is designed to target mobile devices, according to industry estimates. A new report from Finland-based antivirus vendor F-Secure Corp. found the vast majority of mobile malware to be SMS Trojans, designed to charge device owners premium text messages.
Experts say Android devices face the biggest threat, but other platforms can attract financially motivated cybercriminals if they adopt Near Field Communications and other mobile payment technologies. An F-Secure analysis of more than 5,000 malicious Android files found that 81% of mobile malware can be classified as Trojans, followed by monitoring tools (10.1%) and malicious applications (5.1%). "These mobile devices require very specialized payloads that are not available in the wild," said Rapid7's Carey. "From a cybercriminal perspective, smart phones are not a very good attack vector at this time."
5. Device theft: The New York Times technology columnist David Pogue experienced device theft earlier this month, highlighting smartphone theft as a common problem for owners of highly coveted smartphones such as the iPhone or other high-end Android devices. Pogue said he was either pickpocketed on an Amtrak train or his device was stolen when he left it at the counter of the train's meal car. The stolen iPhone was recovered by police in the backyard of a Seat Pleasant, Md., home after Pogue used the Apple tracking features.
Not all stolen devices are recovered, security experts say, and the threat that corporate data, such as account credentialsand access to email, is exposed to atech-savvy thief, makes the issue a major threat to the IT security pros who took the survey. Darrin Reynolds, vice president of information security at Diversified Agency Services, a division of Omnicom Group, said that employees should immediately contact their corporate IT teams if a device is lost or they suspect it is stolen. Reynolds said corporate IT must be informed before the smartphone carrier is notified; that way, the company has the ability to wipe the corporate data off the device before the carrier revokes the device's network access.