Android and iOS operating systems have drawn increasing interest from hackers and malware developers in recent months.
Cyber security experts expect the trend to continue amid the rising usage of mobile devices that rely on these systems. Saboteurs have typically focused much of their effort on market-dominating Windows-based programs. Apple products did not have enough market share to be targeted.
“Cyber criminals will go for the most popular OS (operating system) first,” says Michela Menting, cyber security senior analyst with ABI Research.
With market share comes unwanted attention
The mobile world is consolidating around Android and Apple’s iOS systems. According to International Data Corporation (IDC), during the second quarter of 2013, Android held about 79 percent of the worldwide market for smart phone operating systems, iOS had 13 percent; the rest of the contenders had to fight over the sliver remaining.
At the same time, more employees are connecting to their corporate networks via mobile devices. When network equipment maker Cisco recently spoke with IT decision makers in eight countries, they found that 60 percent of knowledge workers use a mobile device for work purposes
Menting and other cyber security experts say that companies are still learning mobile devices’ vulnerabilities. Criminals can use these “devices as entry points to a network or to siphon data from the device or from the connected network,” says Rebecca Herold, an information privacy, security and compliance consultant, author and instructor.
Hackers bypass old security measures
Menting says that many companies learned from the PC era and fortified their fixed workstations and networks. She says: “There are layers of security: physical access to the premises, digital access and authorization (password/login), AV and spam filtering, firewalls on the servers, intrusion protection.”
She says that mobile devices can bypass these measures, Menting says. “It becomes difficult for IT to set policies and restrictions on personal devices,” she says.
Herold says that few mobile applications (apps) are designed with security in mind. Even some legitimate apps are intended to gain ongoing information from the user, including his or her location.
Cybercriminals already recognize this, Menting adds. They’ve begun disguising malicious applications as legitimate ones, and using them to gain access to organizations’ networks. “In the end, the easiest way in is always social engineering. People are ultimately the weakest link.”
Common sense ways to reduce risk
Herold says that to reduce the risk that an employee using a mobile device inadvertently opens the corporate network to criminals, IT can limit the types of devices and applications it will support. This offers security without compromising the flexibility generated by mobile devices. She says that few IT organizations have the resources needed to support every device and app available.
An organization also can require devices that connect to the network to contain certain security tools, such as encryption capabilities and firewall protection, Herold adds. Once a policy is in place, IT can employ different tools that will scan the network to check that employees are complying with it.
Ongoing education is critical as well, Menting says. The training needs to be continuous and relevant, as cybercriminals will change tactics quickly if they find that one approach doesn’t work, she adds.
Equally important is developing timely, effective responses should a breach occur. This may include remotely locking and wiping data, ensuring proper backup, and establishing recovery capabilities. “Companies need to reconcile themselves with the idea that a cyber intrusion will eventually happen,” Menting says. So the question becomes, “How can they limit the damage and respond quickly?”
One step that probably won’t make sense: switching to a less popular mobile operating system in an effort to avoid attention from cybercriminals. “It’s a little shortsighted,” Herold says, noting that the popularity of different systems and devices can change over time. “It’s better to have a long-term risk management plan.”
This will become even more critical as companies connect more devices, such as machines on their plant floors, to their networks, Menting notes.Tags: BYOD,IT Security,Technology