This year, we’ve seen unprecedented growth in the amount of mobile malware. From threats that simply seek to embarrass victims to those that exploit premium rate number billing to those that steal information, mobile malware is certainly on the rise. More and more enterprise customers I speak with are becoming aware of the threat posed by mobile malware and asking how they can defend against it.
However, despite mobile malware rightfully growing as a concern, it should be acknowledged that the threat it poses is not yet at the level of traditional PC-based malware. In fact, as highlighted by recent research conducted by Symantec’s Eric Chien, mobile malware is still in a nascent state and will likely remain so until cybercriminals figure out a more lucrative way to monetize it. Thus, it is critical that enterprises not forget that perhaps a larger mobile security threat still looms.
This is the threat posed by not taking the entire mobile device ecosystem into account when developing mobile security strategies. Back in June, Symantec’s Carey Nachenberg authored an intriguing whitepaper that discussed the various strengths and weaknesses of the iOS and Android platforms. Near the end of the paper and perhaps somewhat overlooked by some readers, he discussed the potential inherent dangers posed by the mobile device ecosystem. Here, in part, is his analysis:
In a typical deployment, an employee connects their device to both an enterprise cloud service such as an Exchange server that holds the employee’s work calendar, contacts, and email, as well as to a private cloud service, such as Gmail or Apple’s MobileMe, which holds their private contacts, calendar events, and email.
Once a device is connected to one or more data sources, both iOS and Android provide a consolidated view of both corporate and private email, calendars, and contact lists that unifies data from both services into one seamless user interface, while internally maintaining a layer of isolation for the data from each service.
This isolation prevents loss of enterprise data and also enables administrators to safely wipe enterprise data from a device while letting the user retain their own private data should they leave the company. While such an enterprise-sanctioned deployment isolates data from each source, ensuring that enterprise data is not inadvertently synchronized with the employee’s private cloud, it is quite easy for users to use third-party tools or services to intentionally or unintentionally expose enterprise data to third-party cloud services, unmanaged computers and devices.
So, what can enterprises do to combat the inherent risks in the mobile device ecosystem?
- Take inventory – You can’t protect or manage what you can’t see. You must take inventory of the devices in your organization to gain visibility across multiple networks and into the cloud. After taking stock, implement continuous security practices, such as scanning for current security software, operating system patches and hardware information, such as model and serial number.
- Develop and enforce strong security policies for using mobile devices – It is important to implement and enforce strong password management and application download policies for managers and employees. In addition, users should be educated as to what cloud services they are permitted to synch their corporate-connected mobile devices to and why such rules are in place – in other words, what the risks are.
- Focus on protecting information as opposed to focusing on the devices – Instead of solely focusing on the mobile devices themselves, IT departments should take a step back and look at where the organization’s information is being stored and should then protect those areas accordingly. Requirements around anti-malware, data loss prevention and authentication apply for data wherever it resides, mobile or otherwise.
- Use a mobile device management solution – Today smartphones and tablets are being used the same way as laptops and PCs in which they are accessing email, using enterprise apps, and accessing corporate servers. As a result, the device and apps need to be managed through the entire device lifecycle from device provisioning to securing and monitoring to device retirement. A well managed device is a secure device.
- Integrate security and management – Security and management for mobile devices should be integrated into the overall enterprise security and management framework and administered in the same way – ideally using compatible solutions and unified policies. This creates operational efficiencies, but more importantly, it ensures consistent protection across your infrastructure, whether it is on premises or in the cloud. Security policies should be unified across all popular mobile operating systems and non-compliant mobile devices should be denied network access until they have been scanned and, if necessary, patched, upgraded or remediated.
The mobile device ecosystem is a complex environment, and with the added threat of a growing wave of mobile malware it is not getting easier to manage. However, with the right tools, such as Symantec’s mobile protections technologies, an enterprise can ensure that mobility is not the weak link in its IT armor.