When mobile phones were simple devices incapable of storing large amounts of data and tablets hadn’t yet evolved into the powerful machines we know today, there wasn’t much interest in hacking them. But as mobile devices evolved, and people and employees began storing more and more data on them, they became much more enticing to cybercriminals.
Bring your own device programs added to the interest. Companies that allow employees to use their own mobile devices at work may improve employee satisfaction, but such programs can also give hackers new methods of infiltrating a company’s perimeter. Even companies that don’t actively promote BYOD can get into trouble. Employees are increasingly using mobile phones to access or share company data without considering the consequences.
A growing problem
Experts predict the number of attacks on mobile applications and operating systems will continue to increase.
Earlier this month, a security gap made it possible for hackers to attack Android phones simply by sending a text message. Zimperium estimated that 95% of Android users across the globe are subject to the vulnerability, dubbed "Stagefright."
“The mobile phone industry is certainly being attacked more heavily now in the U.S. environment,” Greg Kesner, the former head of the FBI’s data intercept program who now works at security consultancy Larson Security, told The Wall Street Journal. “It’s probably now more useful to get onto somebody’s mobile phone than their laptop.”
Protecting mobile data
Data is difficult enough to secure in-house. How can CIOs help protect company data once it moves beyond company walls?
At a minimum, mobile security experts say, CIOs should ensure that any employees who use mobile devices to access the Internet install and update anti-malware. According to CYREN’s Security Report for 2013, Google’s Android operating system averaged 5,768 malware attacks daily over a six-month period. Meanwhile, according to a Symantec report, the number of documented vulnerabilities for iOS Apple iPhone and iPads increased 82% during the same year. Given the proliferation of malware, CIOs must insist this basic protection is in place.
Because wireless communications are easy to intercept, mobile device communications should also be encrypted. CIOs should insist that if employees want to use their own mobile devices to access or store any business information, the mobile device must be configured for both user identification and strong authentication.
CIOs should also ensure employees use virtual private networking (VPN) to access the corporate network. VPNs allow for logging, management and strong authentication of users who want to use a mobile device to access company systems.
Finally, companies should establish policies to limit or block the use of third-party software. Unknown or unapproved software can easily include backdoors designed by hackers looking to pilfer company data.
Overall, awareness is key. CIOs should ensure all employees know the dangers of accessing and sharing company data via mobile devices. They should also convey that this is a growing area, with new methods of infiltrating mobile devices being created every day. Finally, CIOs should work with HR to determine how to handle instances where employees break the rules.
