At the present time, the security controls of mobile devices are lacking. Experts warn that mobile malware (such as viruses, worms, Trojans, and other malicious software planted into compromised mobile apps) is growing very fast. BullGuard identified over 2,500 different types of mobile malware (Mobithinking, 2012).
The technology for securing mobile devices is not keeping up with the rate of growth and adoption. Currently less than 1 in 20 smartphones and tablets have third party security software installed in them, despite a steady increase in threats (Juniper Research, 2011). Also, many CEO’s are not aware of all the various security threats those mobile devices pose.
Below are some of the significant threats that companies face when incorporating mobile devices: (Deloitte, 2012)
• Mobile device attack surface is narrow but deep. Although the attack surface is small, but it can go deep in terms of the variety of services available on mobile devices, such as applications, messaging, browser based attacks, phishing, and location services.
• Mobile malware. Viruses, Trojans, spyware and other malware targeting mobile devices are on the rise, and can access device data, functionality and users’ habits, locations, and other sensitive information.
• Application and data proliferation. Users can install applications that are unsecure, relying on vendor application stores’ validation processes which might be limited. Some applications have certain “privacy” settings of which users are unaware that the data is being transmitted to a third party. In addition a greater risk comes from “jailbroken” devices on which users can install all kind of applications without validating their sources or security.
• Device and data loss. Due to their size and mobile nature, the devices are more likely to get stolen or lost, putting their data at an increased risk of being compromised. Mobile data might contain sensitive information, corporate data, or data that can lead to accessing other data stored elsewhere.
• Device and data ownership. As employees use their own devices for business purposes, or corporate devices for personal activities, the line grows thinner as to data ownership, privacy and liability issues.
• Network communication channels. Data transmission over Wi-Fi, Bluetooth, or GSM can be exploited by hackers to gain access to sensitive data transmitted between mobile devices and servers.
• Immature security solutions. Due to different mobile operating systems, and different mobile carriers, it is thus more difficult to implement universal security solutions for mobile devices.
• Less IT control. More control is in the hands of business executives and even end users as to what platforms, applications and/ devices to implement, while IT’s role is to secure those devices.
• Exercising tight control has its downside. When implementing security solutions, IT teams should strike a balance between security and usability. Too tight controls can result in lack of efficiency or even a lack of adoption of the controls altogether.
• Lack of a formal strategy. There should be a formal strategy and security policy to deal specifically with rapidly evolving mobile security threats, and constantly changing technologies.
• Limited awareness of the magnitude and intricacy of mobile threats. Today’s mobile devices are Internet-tethered and are thus susceptible of being exploited by cyber-criminals from anywhere on the Internet. Awareness is the first step towards creating a formal security plan to prevent or mitigate such threats (US-CERT, 2010).
Deloitte. Top 10 Mobile Threats. (2012)
Juniper Research. Press Release: Mobile Security Software Revenues to Increase Six Fold to $3.7bn by 2016, Driven by the Business Demand
Mobithinking.com. Global mobile statistics 2012 Part A: Mobile subscribers; handset market share; mobile operators (June, 2012).
US-CERT. Technical Information Paper-TIP-10-105-01 Cyber Threats to Mobile Devices. (April, 2010)