Mobile devices have been commonly used in corporate environments for decades – bulky portable telephones, heavy laptops and PDAs. Then along came Apple and the smartphone, and soon everyone either had personal smartphone or expected their employers to provide one. Since then, enterprise mobility hasn't been the same.
While there have been numerous advancements in mobile device management, every issue hasn't been solved. For example, many organizations haven't upgraded their security capabilities even though attackers are constantly innovating their tactics.
A 2016 Ponemon Institute study found that 67 percent of surveyed IT security professionals said it was certain or likely that a breach had occurred as a result of mobile device use. In addition, 64 percent admitted that their organization wasn't vigilant about protecting sensitive data on this hardware, and 63 percent had no policy regarding what type of company data could be stored to employee mobile devices.
There are four ways mobile devices continue to threaten businesses and put their sensitive data at risk.
1. Lack of user follow-through
Employees are one of the largest breach vectors for cyber attacks. While they might not mean any harm, if staff members don't fully adhere to company or industry standards, they can leave a door open to a hacker. A 2016 Ponemon Institute study found that 67 percent of surveyed IT security professionals employed in Global 2000 companies said it was certain or likely that a breach had occurred as a result of mobile device use. In addition, 64 percent admitted that their organization wasn't vigilant about protecting sensitive data on this hardware, and 63 percent had no policy regarding what type of company data could be stored to employee mobile devices.
Even with established best practices, a lack of user follow-through will leave businesses open to breaches. A 2017 Pew Research Center report found that some smartphones users aren't following simple best practices like updating their device or using access security features. In fact, 28 percent of smartphone owners don't use a lock screen, and 40 percent of only update their devices when it's convenient. These avoidances can make it much easier for a malicious party to gain control over a device and access sensitive information.
2. App and device vulnerabilities
Apps should traditionally go through a rigorous vetting period to ensure that the software is secure and valuable to business use. However, employees might choose to go with a program that's more convenient, creating the expansive environment of shadow IT. Similarly, organizations might pick an app that sounds good on paper but suffers from poor or insecure coding practices, which might not be apparent on the surface.
A 2017 Ponemon Institute survey found that respondents believed that Internet of Things apps are harder to secure due to a lack of quality assurance and testing for these programs. Participants were also slightly more concerned about getting hacked through an IoT app than a mobile one.
However, the threat of malware for mobile apps was noted far more prevalently than for IoT software. The survey also indicated the real threat of shadow IT, as 63 percent of respondents were not confident or had no confidence that their organization knew all of the IoT and mobile apps being used within the workplace. These unapproved apps can have significant flaws, and those vulnerabilities could provide opportunities for hackers.
"Third-party app stores have become more refined to avoid detection."
3. Sophistication of third-party app stores
The iOS and Android app stores have standards for evaluating and supporting programs for users to download. However, third-party stores have avoided detection recently and were even offered as normal looking apps in official stores.
For example, Haima, a third-party iOS app store, aggressively promoted repackaged apps through social network channels, riding on the popularity of certain games and programs to entice users. Trend Micro noted that Haima got around Apple's Developer Enterprise Program by pretending to be an enterprise without having to be vetted through Apple's certification process. Since then, Apple has aimed to improve its algorithms and review procedures.
Unfortunately, some app still slip through the cracks. Trend Micro observed a third-party app store being offered on the official iOS App Store as an legitimate program. By concealing itself as a legitimate program, the store offered users access to jailbreaking apps and other software. The app has since been removed, but it shows a large gap in analyzing these offerings.
4. Poorly deployed authorization tools
Sensitive business and user data must be protected from outside entities. If a phone is stolen or hacked, the malicious party won't be able to get in thanks to methods like encryption and two-factor authentication. However, as previously discussed, many users don't implement a lock screen on their device, leaving it open for anyone to access if it's lost or taken, creating significant compliance risks for organizations and mobile users.
Besides the issue of malicious apps, some trusted ones don't use adequate security measures to grant or deny entry. A Sophos analysis of the top 1,000 apps revealed that only 3 percent of them actually used best practices like two-factor authentication. For others, all data is put into the same bucket on the device, without the proper protections. In addition, 90 percent of apps didn't follow proper credential and authentication processes. Experts don't believe that regulations will fully fix the issue. Instead, a series of nasty incidents and consumer awareness might be the biggest motivators to make necessary security changes.
Organizations must take the time to establish stronger mobile management processes and enforce more specific policies. With these practices and threat detection tools, businesses can quickly find and deter breaches as they happen while providing staff with the flexibility of mobile operations.