The numbers have it: When 2011 ended there were over 50 million iPads in circulation and another 10 million Android tablets. Add in iPhones and Android smartphones and, suddenly, there are many many millions of highly intelligent mobile devices seeking connection to enterprise networks.
That is why “The” security question of 2012 may be: How big is the risk to enterprise from today’s mobile devices? Security vendors are shrill in their warnings. Listen to them and it is easy to believe that enterprise is already overrun with mobile threats.
The truth, however (as usual), turns out to be different. But the truth also packs huge worries of its own.
A first fact: mobile malware just is not much of a threat to enterprise today, admitted Bob Walder, a lead researcher at NSS Labs, an independent security research and testing firm.
The mobile malware threat is still nascent, which means it is tiny, said NSS’s CEO Rick Moy. Not that much of it has shown up on enterprise networks and what has is, for the most part, ignorable. That’s because the vast majority of mobile malware out there is penny-ante — calls to premium phone numbers, for instance. To a consumer, this can be a mind-numbing annoyance. To enterprise IT, by contrast, it is more like a fly on an elephant.
While the numbers are expected to mushroom — particularly aimed at Android devices, which have emerged as the target – no one expects a near term shift in mobile malware architecture. But before there is too much jubilation, there are real worries nibbling around the edges of the networks.
Probably the biggest, said Silver Tail Systems fraud analyst Jesse McKenna, is that many mobile devices contain vast amounts of sensitive personal information, which, if it falls into the wrong hands, can lead to compromise of the network. McKenna said he knows of cases where criminals infected smartphones with malware that redirected employee log-in credentials back to the criminals who then used those credentials to pilfer sensitive data off the network.
Are there a lot of such cases? Absolutely not. Could there more? That is a worrisome question and there is no easy answer. But, knowing how these things have gone in the past, the answer is probably.
Bit9 CTO Harry Sverdlove also focuses information as the chief vulnerability. What, he asked, would happen if clever malware harvested an address book and what could happen if that malware sent an email that appeared to be from the phone’s owner?
“The mobile threat vector is not well understood by IT security professionals,” said Sverdlove. “They concentrate on protecting the network perimeters but, nowadays, the perimeters have been obliterated.”
That is why core advice from security researchers is to develop policies for detecting malware activity on the network now; hopefully, many months before real activity shows up. That way you’ll be ready to fight back.
In the meantime, however, experts quickly pointed to what already is a major enterprise network vulnerability from mobile that, again, leapfrogs the data in email attachments, cloud-based file storehouses, and elsewhere. What this represents is a wholesale shift of sensitive IP outside the company and into points unknown. That, said the experts, is a worrisome thing.
“The biggest threat today is data exfiltration,” said Sverdlove. What he is highlighting is unauthorized movement of sensitive data off the network.
NSS’s Walder elaborated: “This has become a real problem and the employees who do it don’t mean harm. They are doing it so they can do their jobs better.” That may be true but when business secrets are transferred to a phone and the phone is lost or stolen very bad things can happen.
But can malware be written precisely to attempt to harvest that data, you ask? Security experts agree this looms as a real threat. For now, however, the bigger threat is employee loss of mobile devices with clever criminals sometimes recognizing the real value is not the phone hardware, but the IP. Either way, mobile devices have emerged as a weak link in the corporate security food chain.
“Corporations really need to find ways to regain control over those files,” said Walder. The surest route to this end is substantial employee education. The result may not be fewer file transfers but education may lead to more use of encryption, for example, that can help reduce the damages inflicted by hardware loss.
Added Sverdlove: “Security professionals need to take fresh skeptical looks at mobile devices and ask the question: What is the real threat to the enterprise?”
As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation’s leading publications — from Reader’s Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain’s New York, and Fortune Magazine.