At the end of 2013, Gartner published the list of the top ten technologies and trends that will be strategic for most organizations in 2014. Gartner predicts that these trends will lead to the creation of a new economy driven by various types of cloud technologies; total mobilization, Internet, and web-scaled IT; and, most importantly, the smart machine era, the most disruptive in the history of IT.
One of the trends is mobile device diversity and management. Gartner’s experts believe that the Bring Your Own Device (BYOD) programs will result in the doubling or tripling of the mobile workforce. The use of personal devices for work purposes is unavoidable. Is this really a pressing problem?
It should be noted that there is no way back. The usage of mobile devices in daily work activities will only increase. It doesn’t really matter if the company officially adopts BYOD practices, develops a relevant program, or creates certain policies. Today’s generation of employees is mobile by default, and they will use their own mobile devices for personal and work-related purposes even if the company tells them not to do so. We should also keep in mind that banning personal mobile devices for work-related activities can reduce employees’ productivity.
In this regard, we can oversee a number of problems, such as the risk of device loss (or theft), the consequences of employees leaving the company, and the provision of security when transferring data or storing it in the cloud. At present, most companies have policies concerning accessing the corporate network using devices belonging to the company. Now, there is a vital need for well-defined policies that balance employees’ rights and interests and confidentiality and sensitive data-protection requirements.
According to statistical data, over 50% of companies have to deal with data loss and other security issues. Based on our hands-on experience, we identified the main threats to company information that arise when employees use mobile devices. Let’s take a closer look.
First of all, there is mobile malware—worms, viruses, Trojans, fishing, spyware, rootkits, botnets, etc. Speaking of malware, we should mention that the various platforms have different levels of susceptibility. According to analysts, the most vulnerable mobile operating system (based on the total amount of viruses) is Android, and the safest is iOS. However, it can only be applied to spyware and rootkits. Thus, in cases of fishing via web access, this would not be the case.
In general, the aim of all malware is to harvest personal data: passwords, credit card and bank account numbers, and other confidential information stored in cell phones. Smartphones are exposed to fishing much more often than desktop systems because of the lack of well-developed anti-fishing filters and reputation services for mobile browsers. Besides, mobile devices are very attractive to fishers because of the opportunity to use SMS and MMS channels to “catch” the victims.
Unauthorized access is another threat caused by the trend of using smartphones for both personal and work purposes. The risk of unauthorized access to sensitive corporate data multiplies with each data transfer, automated save to the cloud, employee resignation, and device loss/theft.
Theft and loss of devices happen more often than most people think. In fact, they happen so often that analysts identify these occurrences as a separate threat. One such incident can lead to enormous financial losses for a company.
Finally, there is the human factor. Even though almost all the threats mentioned above can be considered, to varying degrees, human factors, the greatest concern relates to the tendency for users to use the same password for different services. Considering that login credentials are usually stored on the device, there is no doubt it is a valid threat to the confidentiality of corporate data.
Of course, we have not covered all potential issues, but these are the most common, and they are challenges almost every IT security director has to deal with.
The Pareto principle states that, for many events, roughly 80% of the effects come from 20% of the causes. Rephrased, this means that 80% of threats come from 20% of problems. For mobile devices, the four main security issues (according to InformationWeek 2012 Mobile Security Survey, March 2012) that cause most threats are as follows:
- Lost/stolen device
- Malware
- Users forwarding corporate information to cloud-based storage services
- Connectivity security
It was also identified that more than 50% of the companies suffered a loss/theft of mobile devices containing sensitive corporate data in the last 12 months.