With the increasing speed, power, cloud services and millions of apps being available on mobile devices for every age group, the mobile threat landscape continues to grow.
With more people using their devices for online shopping, managing finances, paying bills and playing online games, the threat is all around us. Some of the mobile threat vectors are malware, risky apps, device vulnerabilities, jailbroken and rooted devices and rogue Wi-Fi access points.
There has been a dramatic increase in the number of mobile malware with complexity and sophistication. Both Google Play and Apple App Store have found hundreds of malicious and privacy concerns apps and pulled them out. Google and Apple both are quick to remove the malicious apps from the app stores but it’s inevitable that some infected apps will still make it through the security screening process and all the way down to the mobile devices. This requires a new way of thinking to protect mobile devices and growing security concerns in the digital world cyber security defense strategy.
[ ALSO ON CSO: 5 active mobile threats spoofing enterprise apps ]
There are tons of free apps (as claimed but nothing comes without a cost today) available with vulnerabilities and malicious code that have access to personally identifiable information (PII) data that is used for advertisement and marketing purposes, and device sensors like camera, microphone etc. These malicious apps can monitor and track activity, steal sensitive data and photos from mobile devices, make unauthorized calls, SMS etc.
Technology like SilverPush embedded in Android Apps are capable of listening to the TV shows or advertisements in the background and collecting information without a user's knowledge when their phone is on or is being charged. There are a list of ad detector apps available in the Google Play. While this is not a malware app, it’s a huge concern from the privacy perspective. The collected personal information from the device include but not limited to: IMEI number (the unique number that identifies your phone), OS version, location of owner etc. If an application on a mobile device contains SilverPush, the best solution is to remove that application from the device.
As mobile becomes the predominant platform in the enterprise, the anticipation is that mobile specific vulnerabilities, malware, and network attacks would be on the rise. The increase in mobile device compromises, vulnerabilities and malicious apps present unique technological, legal and security challenges to IT and security professionals. The risk arises from liabilities involved in granting access to sensitive personal or financial information or exposing corporate confidential data that could be breached. This requires enterprises to dramatically shift their way of thinking to encourage and embrace the influx of mobile devices and importantly mobile apps into the workplace while meeting internal policies and regulatory security requirements.
Recent research shows that more than 50 percent of enterprises have at least one non-compliant device. Having these compromised devices could be a steppingstone for cybercriminals to compromise the enterprise security posture and expose sensitive and confidential enterprise, partner and customer data. The potential risks could result in lost client and customer confidence, impact brand value and/or going out of the business.
Implementing Enterprise Mobility Management (EMM) platform solutions enables the identification of compromised devices and sends out alerts to take appropriate mitigation steps with automated workflow design. This is important for the enterprise in digital cyber defense strategy. Android presents a higher risk as compared to iOS due to the fact that various vendors create their own customized build and features whereas iOS is closed to the outside world.
Enterprises that still lack the adoption of an EMM solution need to understand the risk that mobile devices pose to the enterprise, and the true impact a compromised device may have on enterprise data. EMM can help enterprises enforce compliance policies, blacklist or whitelist apps, analyze apps for malicious behavior and automatically quarantine the compromised device found in the enterprise to strategically manage the increased mobile device risk and threat landscape.
Enterprise mobile security needs to be included at the beginning of enrolling the device with physical security controls like minimum password length and complexity, screen lock out time etc. App security assessment and reputation rating, and threat defense technologies help provide protection from new threats that might get injected into the device while browsing sites or receiving emails.
This article is published as part of the IDG Contributor Network. Want to Join?