Shining the spotlight on mobile risks and opportunities
Today, I want to share a treasure trove of information and perspectives on mobile security from SC magazine. They released an edition of their “Spotlight” edition on the topic of mobile security. You can download a copy here.
The Spotlight includes several articles that you might find of interest, sprinkled with interesting factoids and observations. These include:
- 63% of the mobile devices on the average network are used for personal purposes
- 40% of organizations have had mobile devices lost or stolen, and about half of those had critical data stored on them
- 71% of respondents said that allowing employees to use the smartphones of their choice detracted from their productivity
- The level of mobile malware grew 250% in 2010
- The greatest malware risk is considered to the availability of apps from app stores
- The average user has 22 downloaded apps on their device
- Mobile devices are susceptible to Wi-Fi sniffing, where hackers can intercept wireless communications
- The president of the SANS Institute predicts that as mobile payment use increases, criminal gangs will target our mobile devices
- “We’ve got to embrace mobile technologies and smart devices and support them, whether we really want to or not, because that’s the way of the world right now” (Director of Strategic Security)
- If you are going to allow mobile devices to access the network, you have to deploy both policies and software to protect the device and the network. (See this ZDNet post on the top vendors, and this page for details on #1)
- 85% of smartphone users do not use an anti-virus solution on them
- “We believe mobile devices are the future of our business. We see huge opportunities for mobile devices to transform how our salespeople interact with our merchants and streamline the onboarding process. We’re currently working on empowering our sales force with a mobile platform to modernize customer relationship management. Through this platform, our sales force will be able to better prospect for new clients and manage their appointments. It will also help automate the merchant onboarding process, potentially decreasing time from days to minutes. Mobile platforms will ultimately allow us to move from the antiquated days of paper to quick, slick and modern systems. To us, mobile devices serve as a game changer.” (CTO for Heartland Payment Systems)
- “We treat smartphones the same way we do other devices on the network: setting standards for use and configuration, then checking compliance. It is necessary to be able to: 1) monitor the integrity of mobile devices to ensure they start and stay in a known trusted state, 2) enforce the use of access control systems when working with any company data or network resources and 3) encrypt the device to protect data in the event the smartphone is lost. Standard defense-in-depth security concepts should apply to smartphones just as they do to fixed network devices. Unfortunately, most smartphones don’t have enterprise-grade security, so almost all security functionality has to be added on.”
- “With the use of public Wi-Fi, consumer ignorance of security and the increasing creativity of attackers, the mobile payment threat landscape will be a high risk.”
- “Security depends on the type of business, the size of the organization and the nature of data the organization needs to protect. With that said, my overall recommendation for any mobile use would be to keep devices password protected and encrypted. Test new devices as much as possible to find bugs and any system incompatibilities before using them across the organization. As a best practice, tell users not to use public Wi-Fi access to transmit sensitive information. Train employees about security. Have good policies in place.”
- 35% of Android and iPhone users in the US use apps on their smartphone before they get out of bed.
I have to tell you that I see a threat that is rarely, if ever, discussed: apps that simply don’t work properly because of defects in the development, testing, security (over the code), or change management processes. Change management is recognized as a major source of problems when it comes to on-premise, laptop, or on-demand applications. But as more and more applications are moving to mobile devices, why is nobody talking about the integrity of mobile apps?
Think of these scenarios:
- The doctor uses an iPad to retrieve the medical record or for a patient (see this video). What if a defect in the software presented another patient’s information?
- The pilot on your flight uses an iPad to understand how he should respond to a warning light on the console (see this news article). However, a defect in the upload for the manual means that that section is missing.
- The sales force processes sales orders using mobile apps (see here), but a bug causes the loss of half the orders.
- Do you understand the risks to your organization relating to mobile device use and security?
- Are they assessed as part of your enterprise-wide risk management program, and not just managed within IT?
- Are you avoiding the use of mobile devices in your business processes because of the risks – and as a result running the possibly greater risk of falling behind your competition?