Using a laptop without antivirus and malware protection is almost unthinkable these days. We know that cyber criminals are constantly getting smarter, more sophisticated and more brazen in their attacks, yet individuals and businesses alike seem more concerned with protecting laptops that are used only for a few hours a day and often neglect to protect their smart phone which lives with them 24 hours a day.
The use of smart phones have increased significantly and are often adopted en-masse by end-users for convenient email access as well as by managers and executives who need access to sensitive business resources from their device of choice. Smart phones and tablets have even become critical access tools for a wide variety of production applications from Enterprise Resource Planning (ERP) to project management. For all of their convenience, however, the pervasive use of mobile devices in the work place and beyond has brought a new set of security risks.
As reliance on these devices has grown exponentially, organisations have quickly recognised that smart phones and tablets need more security than just a simple screen protector and a passcode. Most smart device manufacturing companies have realised the importance of including protection against hacking, the strongest of which is still perceived to be Apple iOS. This is because the way an Apple device works is by default not to allow root access to a device to anyone outside of the Apple Corporation. If an application is trusted by the system, then it can be trusted by the end-user. Apple’s innate security is not fool proof, and there are unfortunately there are ways of bypassing these security measures, albeit voluntarily. Devices that are “jailbroken” are susceptible to hacking, as the individual has chosen to expose their device by breaking open the operating system.
Android devices are the most obvious choice of target for mobile hackers, as Android is the smart phone market share leader by far and an operating system that was originally open source. It’s easy to gain root access on an Android device, and because there is no such thing as jailbreaking for an Android device, hackers have expended much time and effort into creating applications specifically to make it easier to gain control over the device. The re-emergence of the mobile banking Trojan known as Acecard highlights the growing risks associated with Android devices and the need for banks and mobile app developers to do more to protect users’ accounts.
The third-most popular platform is Microsoft Windows Mobile and despite the fact these devices make up such a small portion of the market share, they’re still a viable target because they’re based on the Microsoft platform.
Why is mobile hacking a problem? In addition to containing a fair amount of personal and corporate information, most of these devices can connect to different business environments and systems, so it’s the obvious choice. For an individual looking to hack a network, it’s much easier to hack a mobile device that has full access to that network than to hack the network itself. It’s now possible to hack certain devices simply by downloading a tool, targeting a device and taking it over.
Protecting mobile devices used in an organisation’s network
To secure the mobile workforce, IT security professionals and business executives need to look at the effect mobility has on the business risk profile. This requires examining the device, data, applications and transactions that will be utilised and performed while mobile as a whole, rather than examining them individually. Together IT and business need to find a balance between usability and mitigating risk in creating a practical mobile security framework will facilitate productivity gains and enhance employee satisfaction while limiting the exposure to business-critical information and assets.
The biggest challenge as far as mobile protection is concerned is to understand what a mobile device is required to do. From a corporate point of view, it is prudent to offer controlled and limited access from a mobile device – only what is absolutely necessary. The most common demands are email and business applications, so that access can be granted and controlled at a network level. If access is required to business-sensitive data or applications like the financial system, for example, it is now possible to offer biometric access control authentication, as most devices now offer a fingerprint reader.
To protect against physical threats, an organisation can make use of Mobile Data Management or Enterprise Mobility Management solutions to manage devices, enforce passcodes, remotely wipe them in case of a compromise and enforce a comprehensive set of BYOD, security and compliance policies.
By Simeon Tassev, Director and QSA at Galix Networking