The 'Ostrich Approach' Won't Work with Mobile Malware

Chris Doggett, Managing Director, Kaspersky Lab North America

It’s no secret that employees have a growing dependency on using mobile devices to access corporate information of all kinds. With employees working from home and/or other locations more frequently, it’s clear that mobility and BYOD are here to stay. And as with any new trend in technology that goes mainstream, cybercriminal activity soon follows, eventually in equal measure. The recent rise in mobile malware is now following a basic law in cybersecurity: the more vulnerable a system is and the more people use it, the more attractive it is for hackers to attack. We can easily see yet another proof point of this with mobile malware: because mobile devices are so pervasive, we’re now seeing huge growth rates in mobile malware, and because Android-based systems are so relatively easy to hack, upwards of 98 percent of mobile malware is targeting them.

A recent report from Gartner shows a decline in PC shipments from the first quarter of 2014, another proof point that mobile computing is overtaking the traditional PC market. At the same time, a recent report by Lookout shows that in the U.S. the number of Android users who encountered malware grew 75 percent in 2014 from 2013. That is an alarming number and industry experts expect to see that number grow even higher. This paints a grim picture: attacks on mobile systems are likely to become much, much worse. As more and more employees have on-the-go access to sensitive corporate information through their mobile devices, including sensitive information about customers, financial information and intellectual property the value to cybercriminals of hacking them goes up. Couple that with the currently large number of vulnerabilities present in many apps and systems and the growing number of mobile malware tools to exploit them, and you can see that businesses are facing a very real and present danger.

The weakest links in IT security are, and always have been, the user base. This is evident in the continued popularity of phishing attacks and social engineering tactics. A March 2015 report by the Anti-Phishing Working Group (APWG) shows that the number of unique phishing reports submitted to APWG during Q3 2014 was 163,333. Additionally, through the first eleven months of 2014, spam volume increased 250 percent year over year according to Cisco’s data. The threats that businesses face are clear and they’re growing rapidly. What’s less clear, however, is training methods and education for employees who use mobile technology. With so many employees taking corporate information on the road the risk is there, but when was the last time you heard of a company training their employees about good security practices when using mobile systems? A report by Ponemon explores the security impact of mobile device use by employees and shows that only 20 percent of respondents say they have received training on the security of mobile content access and management in the workplace. This is staggering considering the number of employees currently using mobile devices to access sensitive corporate information. This lack of education and training is a goldmine for cybercriminals who will always go after the easiest, weakest link—in this case, employees.

“The weakest links in IT security are, and always have been, the user base”

The increasing volume and sophistication of mobile security threats present serious challenges for businesses of all sizes. Mobile devices and the apps and data they store must be protected. What are some technologies companies should consider regarding mobile device protection?

One important tool for companies to protect sensitive data is encryption. If an employee is working remotely and their laptop is lost or stolen, or if their phone or tablet gets infected with malware, unencrypted customer information can lead to crippling fines from regulatory agencies, and equally bad, a loss of trust from customers. “Containerization” of corporate data coupled with encryption will help prevent it from being viewed and shared during the first few hours of being lost or stolen (at least).

Another feature for strong security with stolen devices is anti-theft technology that can be operated remotely by the administrator to block access and to wipe corporate data from the device so that the bad guys can’t access sensitive information even with unlimited time and fully physical control of the device.

And of course there is the most fundamental layer of protection of all: anti-malware technology. This is such a “given” these days that it is almost assumed. But surprisingly enough, most mobile systems being used today aren’t equipped with it. For the platforms that are at the highest risk (such as Android), there are excellent anti-malware technologies readily available, we simply need to begin using them.

Finally, educating the user base is extremely important and, as I mentioned earlier, a step that unfortunately is often times not executed properly, or worse, completely overlooked. User education should ideally be consistent and timely. All employees should receive the same training, as well as frequent follow-ups to ensure they have the most updated information. Furthermore, a corporate IT department should be communicative regarding updates, outages, possible breaches, etc. so that all employees have the vital information that directly affects network security.

In light of how common the BYOD approach is used, organizations should also establish guidelines for employees on the proper, secure access of corporate information on mobile devices. This is an imperative step to make employees aware of the risks and the responsibilities that come with accessing corporate information on their mobile devices, and will provide standards, procedures and restrictions on the acceptable use of mobile devices to access corporate information. The policy should also provide the ability to enforce the use of strong passwords and block dangerous apps along with downloading from untrusted sources (a.k.a. “sideloading”).

While the mobile threat landscape continues to rapidly evolve and expand, there are several steps—including technologies, education and communication—that companies can take to help mitigate the risks their employees face, while accessing corporate data on the go. In addition, industry events and conference such as RSA and publications are helping to educate businesses and consumers to the most prevalent IT security risks. These are the types of conversations and knowledge-sharing which truly help to stay a step ahead of the bad guys and protect what matters most to us.

And one thing for sure is that we can’t afford to ignore the risks in the mobile world any longer; the “ostrich approach” simply won’t protect us from the bad guys, in fact they’ll look for those of us with our heads in the sand.