95% of companies challenged by BYOD security
Around 95 percent of IT and security professionals are struggling with the security threat presented by BYOD (bring your own device) - and more than 80 percent expect the number of mobile security incidents their company suffers to grow in 2015.
These findings are from Check Point's ‘Impact of Mobile Devices on Information Security' report, based on the views of more than 700 IT professionals in the US, UK, Australia, Canada and Germany.
The survey says professionals' biggest fear is the insider threat, with 87 percent of respondents believing careless employees are their main problem.
The cost of mobile security incidents is also rising: 42 percent of those surveyed said mobile security incidents cost their company more than £150,000.
And Android is still seen as presenting the greatest security risks. It was seen as the riskiest platform by 64 percent this year, up from 49 percent in 2013.
Yet personal devices continue to proliferate on corporate networks, with 91 percent of IT professionals reporting an increase in the number of mobiles over the past two years.
Check Point product vice president, Dorit Dor, commented: “Through our survey it is clear that IT professionals are not seeing an end to mobile security threats, and in fact are preparing for an increase of these incidents in 2015.”
Meanwhile, a free app that potentially enables CISOs to assess the risk presented by individual Android devices has been released by US-based Bluebox.
The Trustable app scans any Android phone or tablet and gives it a security score out of 10, depending on the number of known system vulnerabilities on the device, any insecure configurations caused by the vendor or user, and the amount of pre-installed, third-party apps or ‘bloatware' on it.
Bluebox said there are currently nearly 7,000 different Android devices available, and the app could help companies choose between them.
The app has some similarities to KnockKnock, a free open-source Apple Mac tool released in June by consultancy Synack and updated this month. KnockKnock helps users and security pros detect malware present on Apple OS X systems, by displaying all persistent items that automatically execute when the device boots up.
Analysing the usefulness to security professionals of such free and open-source tools, Graeme Batsman, security director of EncSec, said that both offerings are potentially useful.
He told SCMagazineUK.com via email: “Android, compared to iOS, BlackBerry and Windows Phone, is drastically worse for security, mainly since it receives tens of times more malware directed at it than the others.”
And in terms of KnockKnock, he said: “Most users think Apple Macs are bullet-proof but slowly we are seeing mass malware and targeted malware attempts in the wild.”
In light of this, Batsman said that “any app is welcome that reviews flaws and shows active problems”. But he said the problem with both tools “will be rolling them out and getting reports. If both vendors offer this then it could work.”
Independent cyber security expert Rob Miller, a security consultant with MWR InfoSecurity, told SCMagazineUK.com: “If companies are choosing between several Android devices, Trustable might give a way of quickly getting a level of how secure each of those devices are. It gives a fairly high-level view of any security issues – the known vulnerabilities and how many applications have dangerous-level permissions.
“But to actually know whether those apps are malicious or whether they're vulnerable or being exploited, for a security professional you would need several other tools to try and work that out. The bigger problem going forward is how you're going to manage the devices, how to configure them, the rules you have around these devices.
“It's only the first step in getting devices secure, especially in terms of using them for business use.”
Concerning Android-based BYOD generally, Graeme Batsman said: “If money was no object, then avoid Android due to privacy and security concerns. iOS and others have a tiny percentage of malware, if at all. Device encryption, remote wipe, backup, anti-virus and MDM can all help.”