The rapid rise of mobile computing in the past few years has created major challenges for enterprises, many of which have not yet grasped the scale or scope of security threats that mobility has opened up.
Many potential problems stem from staff using their smartphones, tablets and laptops for work, a trend commonly known as bring- your-own-device or just BYOD. Whether users are storing work contacts or information on their smartphone, or have access to company servers from their tablets, the potential for security breaches is huge.
Nicolai Solling, director of technology services at Help AG, says that with mobile trojans now reaching levels of sophistication comparable to Windows based malware, the threat to data stored on mobile devices is now of great concern to both enterprises and consumers.
“A number of vital financial and revenue generating services are now made available via mobile applications so having malware on the device which the user is not aware of can lead to the siphoning off of critical personal or corporate data,” he says.
Aside from the threat of malware compromising devices, companies and individuals should also consider the far more basic problem of potentially losing a device. “If we look at the issue of threat from a historical perspective we are faced with the same issues as when the PC became mobile in form of the laptop computer – we can simply carry data around on the device, and if we lose that device we lose the data,” Solling says.
The scale of the challenge is also growing. Smartphone penetration rose to 59% among US mobile subscribers during the 3-month period ending in May, according to the latest MobiLens data from comScore. In the Middle East, Saudi Arabia and the UAE have the highest rates of smartphone penetration at 63% and 61% respectively, according to data quoted by Ipsos during the recent Arabnet conference.
Given the scale of smartphone adoption, the devices are viewed as one of the main potential security threats for enterprises, and this applies to each of the main operating systems, although more popular platforms are likely to be greater targets, according to Solling. “Historically, there is one unwritten rule in malware, and that is that when an operating system has reached 10% market penetration you will start seeing virus and malware being written for them. Smartphones and mobile devices are no different. The two big players in the market, Android and Apple’s iOS are under a constant battle to keep up with these things,” he says.
This issue was also highlighted by a recent report from security firm Trend Micro, which focused on potential weaknesses in Google’s Android operating system, which is the most widely used smartphone OS, accounting for about 80% of the smartphone market, according to figures from IDC.
Smartphone weakness
Android vulnerabilities, increased online banking threats and availability of sophisticated, inexpensive malware toolkits are among the growing concerns cited in Trend Micro’s Q2 2013 Security Roundup Report.
The report, a quarterly analysis by Trend Micro’s Threat Analysis Team, indicates that Android devices are directly in the crosshairs of hackers as threats proliferate and the user-base of the Google-owned mobile platform expands with little thought given to security. It shows the number of malicious and high-risk Android apps has grown to 718,000 in the second quarter – a massive increase from the 509,000 high-risk apps in the previous quarter.
These malicious apps are on track to exceed 1 million by year’s end, as predicted by Trend Micro in the 2013 forecast. By way of comparison, it took a decade for PC malware to amass this number.
According to Linda Barrabee, research director, Connected Intelligence at The NPD Group, only 30% of all Android smartphones and tablets in the US have any type of security app installed today.
This fact, Trend Micro warns, combined with the Android network’s systemic problems leave a large number of Android devices exposed to a risk that will continue to spread.
“Due to the fractured nature of the Android network, it is very difficult for patches to reach all users in an effective timeframe,” says JD Sherry, vice president, technology and solutions, Trend Micro.
“In some cases, users will never get patches as vendors leave their customers at risk of attack. Until we have the same urgency to protect mobile devices as we have for protecting PCs, this very real threat will continue to grow rapidly,” he says. “At the rate this malware is accelerating – almost exponentially – we appear to be reaching a critical mass. To fight this, Android users need to take great care when using their devices and take the simple, but effective, step of adding security software to all mobile devices.”
Furthermore, while the Middle East generally matches the global trend in terms of mobile security, the region does have a few differentiating factors, according to James Lyne, director of technology strategy, Sophos.
“There are a few areas where the Middle East has greater challenges. The Middle East can be a substantial target for political or monetary reasons,” he says. “Consumerised smartphone adoption is relatively high in the Middle East, with employees using their own devices commonly. This can be a challenge, as it makes it hard for IT security staff at businesses to ensure the devices are protected, potentially leaving users more exposed than elsewhere.
“We’ve often seen implementations where mobiles and even computers aren’t explicitly managed and end users are trusted to get it right without an appropriate investment in security awareness. Make sure you don’t fall foul of this situation – whether you are a consumer or a small business,” Lyne warns.
Operator’s perspective
There is also much that telecom operators can do to help improve mobile security. Wolfgang Wemhoff, chief technology officer at Nawras, an operator in Oman, says that there are two major areas of concern: mobile application and mobile application hosting infrastructure. “From the mobile application side, we have to ensure that we send our customers as many awareness messages as possible to advise them not to install uncertified, unsigned applications due to the fact that it might lead to information leakage or even device damage. With regards to mobile application hosting infrastructure, hosting entities must ensure that they close all the security loopholes and assess all vulnerabilities especially with new solutions to avoid penetration of internal networks and databases.”
Interestingly, the issue of mobile security also presents an opportunity to operators, who can consider offering managed security as a service, for example. Furthermore, operators, with their existing customer relationships, are often ideally placed to offer these types of services, according to Jatin Sahni, vice president, large enterprise and business solutions marketing, at UAE telco Du.
“Telecom operators already have established relationship with customers by providing data and voice connectivity and devices in most cases,” he says.
Forward thinking telecom operators are best suited to secure their customers’ mobile data and equipment from mishandling, abuse or theft, by offering traditional and cloud based managed security services.
“As a managed security services provider (MSSP), a telecom operator can offer a wide variety of security services such as in house or cloud based mobile device security management, mobile application security management, clean private application stores, and so forth, in order for instance, to enable enterprises to realise the full potential of IT consumerisation and BYOD,” he adds.
Nawras’ Wemhoff agrees: “Telecom operators have extensive knowledge about the challenges in this area and are prepared to tackle them,” he says.
“This includes a safe and robust infrastructure, as well as processes which ensure around the clock monitoring. It also presents the opportunity to educate customers as well as provide secure gateways or even telco based stores that contain only secure applications with a small fee for the assurance part which would be a revenue generating opportunity,” he adds.
Partnership model
Many experts in the field believe that the best way for operators to offer security services successfully is through partnerships, and this is certainly the experience of Nawras. “We have a long history in working with specialised partners,” Wemhoff says.
“This helped us in the past and will help us in the future to have the most insightful expertise at hand. Partnerships are a must. With the wider scope of applications and global presence, telcos need to leverage the expertise of a security specialist partner with deeper knowledge in this subject.
“Since the beginning Nawras has engaged with competent employees and partners to be prepared for any kind of challenge in this domain,” he adds. “We have continuously expanded our knowledge and have clearly assigned responsibilities for making sure that our customer data is in safe hands. This expertise has also been certified by qualified, independent entities. Besides this we are informing customers, about what they could do to use our services more safely.”
Du’s Jatin Sahni adds that operators are “by design powerful implementers of both mobile and information security concepts and technologies”.
Their vast experience in the delivery of secure mobile services, as well as their large customer base, makes them an attractive partner for pure play security providers, he says. “It is clearly a matter of understanding how the enterprise IT and the IT security market as a whole are evolving, by steering away from the traditional and cost ineffective in-house operations models which most of the times are sponsored by the enterprise, to a more personalised, business friendly and versatile secure mobile operations paradigm,” Sahni says.
Enterprise security
James Lyne, director of technology strategy, Sophos, says that from an enterprise’s perspective, the first step towards mitigating mobile security breaches should be to introduce a mobile device management solution to manage and control which devices have access to the network. “This should allow the enforcement of security policies and ensure devices which are not compliant no longer have access to the network,” he says. “The solution should also offer the possibility to deploy a security solution to protect Android devices from malicious apps and other threats and ensure the protection remains installed. A further step would be to prioritise Wi-Fi bandwidth for business applications. And the third would be the ongoing process of educating users.”
