Despite 25 years of developing new security and cyber-defences, enterprises are still struggling to work out how they can protect their data from being lost. With the speed of technology evolution, new vulnerabilities are occurring at an alarming rate.
In the past 25 years, the highest number of recorded breaches was in 2014. That said, 2015 only missed the same level by two breaches. This is due to a significant shift that has taken place in the attack vectors.
While the traditional desktop PC is still a target, there has been quite a marked shift in attacks to target mobile devices. This simply reflects the increasing ubiquity of mobile devices in the enterprise.
More valuable data moving to mobile
iOS, Android and Windows mobile devices are all about apps. Enterprises are increasingly deploying mission-critical apps and data to the mobile endpoint. As this occurs, organisations can become at risk across three key vectors:
1. Network - Mobile devices connect to the fastest network available, regardless of whether it is trusted. This can leave the device vulnerable to man-in-the-middle attacks. In this scenario, a compromised network intercepts traffic from the mobile device and reroutes it so the attacker can read the information and use it for their own purposes.
2. Apps, particularly for cloud services - Allowing a service like Salesforce to enable connections from mobile devices can be a tremendous productivity gain. However, many applications are designed to access the Salesforce service, not just the apps you approve. Some of these can store massive amounts of customer records locally to the mobile device – and if this data is not stored in a manner that is under the enterprise's control, your organisation can potentially be in breach of the forthcoming EU General Data Protection Regulation (GDPR).
3. Malware - Most mobile malware to date has focused on making money for hackers through rerouting ads or making paid phone calls, though some has attempted to steal data from mobile devices. The rise of potentially lucrative enterprise data landing on smartphones means that data-oriented attacks will increase and attackers will take greater steps toward trying to compromise mobile devices.
IOS is no longer invulnerable
Many enterprises chose to base their mobile strategy on iOS as it was previously considered secure and relatively invulnerable to attack, if the device wasn't jailbroken. Recent attacks have brought this viewpoint into question. Last year, there were 375 recorded iOS vulnerabilities and we're probably all familiar with the increasing number of iOS malware variants such as YiSpecter, KeyRaider, and XcodeGhost.
Our research also revealed one in 10 enterprises has at least one compromised device. Over a three-month period, an upward trend has also been detected in the number of enterprises with compromised devices increasing 42 percent.
Protection is straightforward – with the right tools
While enterprise mobile security may appear complex on the surface, there are several straightforward steps that can be taken to protect against breaches and shut down vulnerabilities. Enterprises need to be diligent about the latest risks and ensure that user behaviour mirrors good security policies.
Users need to keep the operating system on their mobile device up-to-date to ensure that the latest security issues are addressed. They should be discouraged from compromising the operating system through jailbreaking – while this might seem to unlock new functionality, it can potentially lead to severe risks from the perspective of data protection. Devices that violate either policy should be quarantined to prevent access from corporate data.
It's critical to ensure that the organisation uses strategies such as application gateways, per-application VPNs, and certificate pinning to establish session trust for network connections. With session trust, even if the device does connect to a compromised network, the organisation's data remains safe because enterprise data doesn't traverse the compromised network.
When enabling application services, enterprises should move away from blacklisting. It is more effective to simply whitelist the apps that the organisation has approved to access corporate data and then ensure that only allowed apps on compliant devices can access on-premise or cloud-based services. If you're going to allow for service data to be synced to the mobile device, ensure the data-at-rest is protected using tools like encrypted and the apps are managed, so you can remove the data. This will help ensure compliance to emerging directives like GDPR.
There is no silver bullet in providing security for mobile. Enterprises need to take a layered approach from communicating the right behaviours, enforcing policy through EMM, to instituting security in network sessions to manage the flow of data in and out from mobile devices.
Contributed by Sean Ginevan, senior director of strategy, MobileIron