Media Coverage Archive

IT Toolbox | BY Peter Kowalke
Tuesday | June 27, 2017

Let’s start with a real-world reminder of why mobile security is important.

This past May, HospitalGownwas uncovered by mobile security firm, Appthority. Billed as the largest enterprise mobile data leak ever, the vulnerability exposed more than 21,000 backend app server that mapped back to roughly 1,000 popular enterprise apps used by businesses around the globe. This vulnerability exposed an estimated 43 tarabytes of business data, roughly 300 million records that included customer and proprietary business information.

If that doesn’t get you scared about mobile security, you may be crazy.

“Mobile phones are a rich data target for hackers and immediate action is required,” says Domingo Guerra, founder of Appthority. “As your organization grows more mobile, you must actively defend against mobile threats.”

Here are seven of those threats you should watch.

1. Malware on Personal Devices

We all use personal devices for work. The problem is that these devices are not as security-hardened as those from the enterprise, and malware on these devices is a significant threat.

In a study released last year by Allot Communications, they found that mobile business users actually have the highest chance of getting their devices infected by malware. Looking at half a million users, Allot discovered that 79 percent of businessmen and 67 percent of businesswomen use risky apps every day that make their organization vulnerable to mobile security attack.

separate study earlier this year by mobile security firm, MobileIron, also found that 11 percent of companies have compromised mobile devices accessing company data, and less than 5 percent of businesses have mobile anti-malware protection.

2. Outdated and Rooted Devices

Devices that have not been updated, and those that have been rooted by users for added functionality, pose a second important mobile security threat. These devices are far more likely to have security holes that can be exploited by cyber criminals.

“Beyond that,” adds Andrew Nielsen, chief trust officer for data security firm, Druva, “organizations face threats from untrustworthy devices where phones and tables ship with malware already installed unbeknownst to the manufacturer or the end user.”

Enterprises should perform automatic device checks when users attempt to access enterprise resources, looking for devices that don’t meet security requirements in terms of updates, modification and device type.

3. Poor Data Protection

“The biggest threat to mobile devices today is ransomware, hands down,” says Nielsen. “The only true way to deal with zero day attacks like the recent WannaCry ransomware is to keep devices up to date from a security patching perspective, but, more importantly, have a proactive data protection strategy.”

This is an important point: If devices are backed up proactively, the impact of ransomware is easily negated, and firms can quickly recover from such attacks.

Make sure business data is backed up automatically.

4. Insecure Apps

Corporate data leaks through apps is a growing enterprise concern and the largest security blind spot in corporations today, according to many security experts.

“Business should encourage their employees to use only carefully vetted apps that when handling sensitive information,” says Andrew Blaich, security researcher at mobile security firm, Lookout. “If an app is not using a secure connection and/or mishandles the data it sends from the device, it puts everything done within the app at risk.”

In order to combat these threats, organizations need to enforce policy on mobile devices to constantly address the firm’s needed level of security, prohibit the use of untrusted or non-authorized applications, and be proactive when it comes to applying security patches.

5. Unenforced Security Policy

Companies may have a mobile security policy, but often it goes unenforced. Almost half of the companies surveyed by the MobileIron report did not enforce their corporate security policy for mobile devices, and nearly 30 percent had outdated policies.

“Creating a mobile-focused policy and enforcing it are critical,” notes Guerra at Appthority.

6. Overly Strict Security Policies

Even worse than an unenforced mobile security policy is one that is too strict. This is what creates shadow IT in the face of a clearly-defined corporate policy.

Businesses “should not simply ban app categories outright because they have risks associated with them,” stresses Guerra. “Employees will use the apps they feel make them most productive, and they’ll do so surreptitiously.”

If there is a particular app your business don’t want employees using, give them a viable alternative that doesn’t compromise on functionality in the name of added security. Otherwise, employees will simply use the less secure app your business is trying to avoid.

7. Insecure Network Connections

That Wi-Fi network at the coffeeshop can’t possibly be a threat, goes the thinking of many a mobile employee. That’s a bad assumption, however, one that puts corporate data at risk.

“Business should caution their employees to use secure network communication channels including a VPN, and stop using free unsecured Wi-Fi,” says Blaich at Lookout. “Not using a VPN–or using unsecured Wi-Fi–puts anything they may send or receive on that network at risk of a man-in-the-middle attack.”

Consider yourself warned.

Read the original article on IT Toolbox here.