Mobile devices have taken the workplace by storm, but the proliferation of these devices has created a new set of security challenges.
After a number of high-profile data breaches and “hacktivist” incidents last year, many companies have focused on protecting their corporate networks. But attacks on mobile devices have been quietly accelerating over the past year as cyber criminals have begun to turn their attention to mobile technology. Smartphones and tablets hold a trove of information, storing not only phone numbers and email addresses, but meeting dates, documents and text messages. That information is valuable in its own right, but it also can be used to give criminals even more leverage in their efforts to break into corporate networks. Mobile devices also can be turned into high-tech spying devices, sending confidential photos and recordings back to hacker-controlled websites.
Security measures, meanwhile, are often inadequate.
As the risk to mobile technology grows, businesses will need stronger defenses to keep the devices — and their own corporate networks — as secure as possible.
The Mobile Explosion
One of the biggest technology trends of the past few years has been a transition away from traditional desktops and laptops and to mobile technology. Sales of smartphones, for instance, came in ahead of sales of personal computers in 2011 and will be nearly twice the PC sales this year, according to a Business Insider Intelligence report.
As more people buy mobile devices for their own personal use, they also want to use that same device at work as well. Companies have responded with “bring your own device” (BYOD) policies that allow employees to use their own smartphones or tablets at work. This has led an increasing number of companies to open corporate networks and data to consumer mobile technology.
A Dimensional Research global survey of IT professionals sponsored by Check Point found that 65 percent of the 768 IT pros polled allowed personal devices to connect to corporate networks and 78 percent said there are more than twice as many personal devices connecting to corporate networks now than there were two years ago.
This is putting corporate data at risk. In the survey, 47 percent of the IT pros said customer data was stored on mobile devices and 71 percent said mobile devices have contributed to increased security incidents.
Generational shifts in the workplace, meanwhile, mean younger workers often expect to be able to use their own mobile device on the job.
A global survey by network security company Fortinet in May and June asked more than 3,000 employees in their 20s about their attitudes about bring-your-own device policies and found that slightly more than half view it as their “right” to use their own mobile devices as work, rather than it being just a “privilege.” One in three said they would gladly break any anti-BYOD rules and contravene a company’s security policy that forbids them to use their personal devices at work or for work purposes.
Before companies began allowing employees to use their own devices, the corporate market often gave preference to BlackBerrys because of their enterprise-level security features. In the consumer market, however, BlackBerrys have lost ground to Android smartphones, iPhones and iPads.
Android commanded 59 percent of the worldwide smartphone operating system market share in the first three months of 2012, according to IDC. The iOS platform used by the iPhone had 23 percent of the market while BlackBerry had only 6.4 percent of the market.
In its survey of IT professionals, Dimensional Research found that Apple’s iOS was the most common platform used, with Google’s Android-based platform coming in third behind Research in Motion’s BlackBerry.
As mobile devices have proliferated, hackers have begun to increase their attacks.
In its 2011 Mobile Threats Report, Juniper Networks found that mobile malware attacks reached record levels in 2011 — especially attacks focused on the Android platform.
The Juniper Networks Mobile Threat Center identified a 155 percent increase in mobile malware across all mobile device platforms from 2010 to 2011. In the last seven months of 2011, malware targeting the Android platform jumped 3,325 percent.
Other security firms have also reported a sharp increase in mobile malware.
Security and anti-spam firm McAfee, for instance, said it collected about 8,000 mobile malware samples in the first quarter of 2012, most of them targeted at the Android platform. Threats that saw major increases included mobile backdoor malware and the popular premium-rate sending malware.
In one recent example, Google’s Android platform was the target of a new variant of a widely used malware capable of stealing personal information, according to a CSO report. The latest Zeus malware masquerades as a premium security app to lure people into downloading the Trojan, according to Kaspersky Lab. The new Zeus malware steals incoming text messages and sends them to command-and-control servers operated by the attackers.
While malware will continue to be a serious problem, consumers and enterprises are also susceptible to a much more mundane risk — the risk of lost or stolen mobile devices. In 2011, Juniper Networks said nearly one in five users of its Junos Pulse Mobile Security Suite, required a locate command to identify the whereabouts of a mobile device.
Whether they are lost or stolen, or come under attack from malware, mobile devices represent a growing security risk for businesses. Many businesses, however, do not have adequate security policies and practices in place.
Managing the Risk
Companies also should have a chief information officer who can oversee the security policy and ensure that it is being implemented throughout the organization.
When it comes to the devices themselves, businesses should take the following steps:
- Encrypt Data. One way to protect smartphone data is with encryption. Most Android phones, however, do not have data encryption built into the hardware, which means users will have to rely on third-party applications. BlackBerrys, on the other hand, are known for their encryption capabilities.
- Improve Password Strength. Many people do not bother to use a password to protect their devices or they use one that is too weak. Syrian President Bashar al-Assad made news earlier this year when his personal email account was hacked. His password was one of the most commonly-used: 12345. The string of consecutive numbers is the second-weakest password, according to password management application provider SplashData. “Password” ranked first on SplashData’s annual list of worst Internet passwords. To improve security, strengthen passwords, using a combination of letters, numbers and other characters.
- Use Remote Wipe Capabilities. If a device is lost or stolen, businesses need to be able to wipe the contents of the device clean. All major smartphones have some kind of remote erase capability.
- Use Network Intrusion Software. This software can help businesses to identify any unauthorized intrusions. Mangers should be sure to check the logs regularly for any unusual activities.
While security measures can help to reduce the risk of a loss, insurance is available to help defray the cost of a data breach or intrusion arising from mobile devices as well as a company’s own internal network.
Insurance companies offer third party liability coverage for lawsuits that arise as a result of a data breach or network intrusion. Coverage also is available for first party expenses, such as privacy notification expenses, the cost to change account numbers, crisis management and public relations expenses as well as losses from a business interruption.
When looking for a cyber insurance policy, it is important to look for an insurer that has expertise in handling such risks. Policies can vary significantly from one insurer to another, and insurers also offer a wide range of services to assist businesses in managing their cyber risks.
Some insurers, for instance, have panels of legal counsel that can offer guidance in case of a cyber attack. Loss control endorsements that cover preventive measures are also available under some cyber risk policies.
As always, it is important to work with an insurer that is financially strong and has strong claims servicing capabilities.
As companies increasingly open up their corporate networks to consumer mobile devices, they face an increased risk that the devices might be compromised and even used as a tool to gain access to the corporate network.
Mobile devices operating on the Android platform are particularly vulnerable. By implementing a comprehensive security policy that includes mobile devices and by taking other steps to protect the devices from malware and to wipe them clean if they are lost, businesses can reduce the risk of a loss in connection with the use of mobile devices.
Ellis is a senior vice president of Chubb & Son and worldwide manager, Chubb Multinational Solutions. Goldstein is vice president of Chubb Group of Insurance Cos.