Criminals make a living exploiting common behavior, so it should come as no surprise that smartphones are a new favorite vector for hackers.
A significant percentage of companies are both aware of and extremely worried about the threat. Some 57 percent of businesses said they fear that their remote workers have been hacked and most are concerned that a growing mobile workforce means increased cyber security risk, according to a recent survey of 500 organizations in the U.K., U.S., Germany and France, conducted by WiFi hotspot company iPass.
And it is not just Americans and Europeans who are being targeted. The survey found that users in rapidly developing nations in the Middle East and Asia are also being bombarded by mobile malware–for both political manipulation and criminal pursuits. The poll was conducted by iPass, a Silicon Valley mobile connectivity firm.
Those findings dovetail with the stunning results of another survey involving 850 companies polled by the Israeli firewall company Check Point Software, which found that 100 percent of the mobile devices used in business settings are exposed to malware and cyber-attacks in varying degrees.
So, if each and every smartphone out there is eminently hackable, how come we’re all not getting hacked? While the vast majority of those phones have not been hacked, that doesn’t mean hackers aren’t trying to get at them.
Are You Feeling Lucky?
Check Point researchers last year documented a case of hackers spreading infections via hundreds of Android applications. Just recently, Check Point sleuths shared details about the activities of a hacking group that successfully infected nearly five million Android devices with a nasty piece of coding–dubbed RottenSys–designed to carry out click fraud campaigns.
Unfortunately, most companies aren’t taking this mobile menace as seriously as they should, and that’s irresponsible at best–negligent at worst. Failure to comprehend the true nature of this omnipresent exposure is the same thing as security inertia–and it’s dangerous. The result, says iPass CTO Blaz Vavpetic, is that companies are “vulnerable to a number of different threats ranging from passive data collection on open Wi-Fi networks to malware attacks originating from untrusted sources, including websites, e-mail attachments and Wi-Fi hotspots.”
JT Keating, vice president of product strategy at Zimperium, a supplier of mobile device security systems, agrees. He says companies fall into three major categories when it comes to dealing with mobile device exposures.
Observes Keathing: “Some take the ‘see-no-evil’ approach; if the threats aren’t obvious, they must not exist. Then there are what I call the explorers, who’ve taken some first steps to secure mobile devices, but haven’t fully committed to protection. They might ban the use of free Wi-Fi, or take more pragmatic measures, such as utilizing a mobile device management solution. And then you have the protectors who recognize that they need all of the proactive threat detection on mobile devices that you have on traditional endpoints.”
The Wi-Fi “Blind” Spot
All those convenient hot spots out there are so many blind spots. The threat is as widespread as the availability of free Wi-Fi, and banning employee use of public Wi-Fi hotspots doesn’t solve the problem.
Overall, 81 percent of the organizations iPass polled reported Wi-Fi-related mobile security incidents in the last year, with most occurring in cafes, followed by airports and then hotels. Companies appear to be addressing this by banning employee use of free Wi-Fi hotspots. Some 27 percent of respondents said they ban their use outright, while 40 percent ban their use sometimes. Meanwhile, some 16 percent said they plan to implement a public Wi-Fi hotspot ban in the near future.
Sounds good, right? It’s not.
The problem is twofold. First, employees don’t always follow rules, and if they are required to pay for Wi-Fi access, another layer of assured non-compliance is added. Secondly, most employers don’t really want to cut off productivity gains associated with remote workers working to complete company business whenever and wherever they can.
“Users will continue to connect to Wi-Fi networks, regardless of any mandate, and especially when they are paying for their own data plan,” Keating says.
Vavpetic adds that wireless connectivity has actually become essential to employee productivity. “Wi-Fi is widely available and is a cost-effective means to keep mobile workers productive both at home and abroad,” Vavpetic says. “Rather than closing down Wi-Fi access at cafes, airports and hotels, companies ought to develop an appropriate data and identity security strategy, one that doesn’t drive workers to use less productive methods of handling corporate data.”
You need to embrace mobile device security as a full and natural extension of overall network security. Layered device protections, recurring employee training and senior management buy-in are the basic ingredients.
Budgets must be allocated, inconveniences borne and a cyber hygiene mind-set nurtured. Procrastinators be forewarned: You will become believers, once hackers attack.