Beware the mobile threat

Life was much simpler in the days of flip phones and Wi-Fi-free coffee shops. Back then the biggest worries were scams involving people using a mobile device to surreptitiously make international phone calls or using unfamiliar computers to send important information.

As technology has changed, however, so too have the threats. Now a lost smartphone can result in a major network compromise, and laptops left in taxis or dropped thumb drives can trigger data-breach notification requirements — assuming, of course, that the IT department knows whether devices carried by employees are connected to the agency’s network or contain sensitive or classified information.

And the problem is only getting worse. Trend Micro’s 2013 second-quarter Security Roundup report identified a dramatic increase in the amount of malware aimed at mobile devices that use the Android operating system. The report shows that the number of malicious and high-risk Android applications had grown to 718,000 in the second quarter of 2013, up from 509,000 in the previous quarter. Trend Micro expects the total number of malicious applications to exceed 1 million by year’s end.

McAfee, in contrast, identified a much smaller but still eye-popping number of mobile malware threats. For the first quarter of 2013, it identified 50,926 pieces of mobile malware. In contrast, for all of 2011, the company gathered only 792 samples. Most of the mobile malware was aimed at Android devices. (McAfee’s malware figures were lower due to the different way it categorized mobile malware.)

The types of threats are evolving as well. Kaspersky Lab recently identified mobile malware that is designed to leap to desktop devices.

And the threats don’t just come from mobile malware. Security researchers recently identified malware installed in USB ports that issues malicious commands to mobile devices plugged in for recharging. And then there are the concerns about connecting to unsecured public Wi-Fi signals, which can easily be monitored for valuable information.

This list of threats is far from complete or static. But it illustrates that mobile devices pose a serious cybersecurity threat to IT enterprises, and as other devices are locked down, attacks involving mobile malware will only increase. All of this is compounded by the “bring your own device” revolution, which has given employees access to company or agency networks via their personal devices.

Admitting that we have a security problem is the first step to mitigation. By recognizing the threats posed by mobile devices, administrators can now turn to security measures. Obviously, every agency is going to need a specialized approach, but some basic security steps would include:

• Develop and implement a specific BYOD policy to manage personal devices connected to the agency’s networks.
• Lock down agency-issued laptops and other mobile devices so that only certain programs can be downloaded and only specific information (if any) can be removed from the device.
• Institute policies regarding connecting to networks when traveling.
• Enforce strict policies regarding the carrying or use of mobile devices when traveling overseas, especially in areas where thefts of mobile devices or deliberate breaches are commonplace.
• Inventory mobile devices regularly; knowing which devices should be connected to a network will help administrators manage the security process.

Mobile devices must be treated with the same responsibility and security measures as any other electronic device. Although they can dramatically increase efficiency and even employee satisfaction, they are yet another threat vector to worry about. Failure to do so could lead to unwanted results.