Through the advent of mobility, smartphones and tablets are now more dangerous devices to enterprises than laptops and PCs.
Mobile malware continues to proliferate, and at the same time employees are insisting on bringing their personal devices to work.
On the surface, this is great for the enterprise. Employees are happier and more productive using their own devices in the workplace.
But this employee-driven trend poses a tremendous risk as cyber-criminals and hacktivists find new ways every day to expose vulnerabilities in smartphones and tablets.
This problem is even more apparent in the Middle East, where mobile penetration is the highest in the world.
“On average, smartphone adoption is approximately 30 percent in any given country,” says Mohammed Joueid, Consultant, Identity Assurance, HID Global. “As a proportion, smartphone penetration is relatively higher in the Middle East than any other part of the world.
“In the UAE this is approximately 26 percent of the population, and in Saudi, this is 60 percent of the country. This is influencing the use of technology at home but more importantly in the workplace.”
So are Middle East CIOs fully prepared for these issues? To put it simply, it would appear not.
Colonel Dr. Rashid Borshid, Director, UAE Criminal Investigation Department (CID), made many UAE businesses prick up their ears when he said they are all a prime target of international cyber-crime rings.
More worrying, however, is the use of malware in almost every stage of the alleged attacks.
“If we pay close attention to the new statistics coming from reputable anti-virus firms that saw a dramatic rise of about 50 percent from the same period in 2012 in mobile malware, what we get is a dangerous mixture of in-country risks, powered by an evolving paradigm shift from regular to mobile malware, which the local security industry is still learning,” says Marwan Abdulla Bin Dalmook, Senior Vice President, Technology Security and Risk Management, du.
According to Sean Newman, Field Product Manager, EMEA, Sourcefire, although much of the malware threats are still in their infancy, there is no doubt that criminals controlling most cyber-crime will see the move towards more mobile devices as an opportunity to make money.
Newman is also far more liberal in his numbers, predicting that malware targeting Android-based devices has increased nearly 500 percent in the last 12 months. Yep, you read that right—500 percent.
One thing is for sure, though. Of all the malware that is out there, the leading factor in the growth is back-door Trojans that steal personal data without the victim’s knowledge, along with malware that attacks user log-in information.
“Users are often unaware of the risks associate with the applications they download,” says Nicolai Solling, Director of Technology Services, Help AG. “The trend with mobile devices is that users place convenience above all else and give little thought to security.
“That IDC recently reported that just 5 percent of smartphones and tablets globally have security tools installed is proof of this. Currently, there are a number of organisations in the region looking to support BYOD. However, the use of mobile devices for sharing corporate documents is far more prevalent, and is often carried out even though corporate policies prohibit such activities.”
It would therefore seem that enterprises in the Middle East are only just beginning to understand the real risks related to BYOD.
However, there are also challenges in rolling out comprehensive BYOD initiatives, including defining the risks, developing and implementing a practical policy, deploying the right technical solution, integrating with existing security technologies, and troubleshooting issues.
“Since the residual risk after deploying silo initiatives is high, there needs to be a holistic and integrated approach that raises the bar for a successful implementation,” says Niraj Mathur, Security Practice Manager, GBM. “Technology itself also needs further development to address all organisational security needs.”
Certain concerns can be attributed to corporate policy, which is lagging behind in putting the necessary processes and procedures in place to support BYOD.
Given the lack of even basic visibility, most IT security teams certainly don’t have the capability to identify potential threats from these devices.
“It is critical they gain the information superiority advantage in a mobile world, and so IT security professionals must be able to see everything in their environment, understand whether it’s at risk, and then protect it,” Newman says.
For most enterprises, he adds, the right solution isn’t to ban BYOD strategies but to implement BYOD policies that clearly define the proper use of employee-owned devices in the enterprise.
Indeed, for all the talk and buzz surrounding BYOD, the actual number of implementations remains relatively low.
Solling says he would place security as the main cause of this, which he believes can be confirmed by any BYOD survey.
“Dealing with data loss, defining proper usage policies, and supporting the wide range of devices with their unique security nuances, are all challenges that IT departments face today,” he says. “Until CIOs are confident that these concerns can all be addressed and BYOD supported in an easy manner, the adoption rates will remain low.”
Another factor that has contributed to low uptake is that often it is only the executive staff who are seen as necessary candidates for BYOD support. And it is easier to provide company-issued devices with a greater set of restrictions rather than to implement a BYOD solution.
A question of Android
It remains no secret that the vast majority of mobile malware is found in Android; 99 percent, in fact, if the studied are to be believed.
With that in mind, it would be wrong to at least not ask the question, shouldn’t CIOs be avoiding this operating system altogether?
Yes, Android is the most adopted OS in the world—perhaps mainly because of its open nature rather than its popularity amongst users. But there are plenty of very competent alternatives from iOS, BlackBerry and Windows.
Does that mean Android should be excluded entirely from enterprise environment? According to the subject expects, the answer is no.
“Admittedly malware for the Android platform does indeed outstrip that of other OSes,” says Raj Samani, VP, Chief Technical Officer, McAfee EMEA. “However, mobile threats go across all platforms.
“For example, consider the privacy issues associated with mobile apps. Whether you are on Android, or any other platform, the lack of visibility you have about what an app is accessing is very limited.”
In the Middle East, iOS and BlackBerry are prominent, particularly in Saudi Arabia and the UAE, whilst Android typically holds third place.
However, this is changing, and Joueid says he believes Android as a platform in fact still does have a lot to offer enterprises.
“If we look closely at the usage patterns in the Middle East across the smartphone landscape, then the use of email and applications are still prevalent,” Joueid says. “Therefore, it is important for CIOs to assess and review risk-appropriate measures and how this should be incorporated in an organisation’s security strategy.”
The brutal fact to the enterprise remains that, as the BYOD trend continues to take off, so will the proliferation of Android in the enterprise.
It is therefore clear that Android will remain the dominant mobile OS through these early years of BYOD adoption, and discounting the system altogether would almost certainly bring the trend to a grinding halt.
“Organisations should instead focus on educating employees about mobile threats as many users are still unaware of how big a threat malware really is,” Solling says.
Educating the masses
For now, the solution to the problem must come down to education. There is no doubt that IT decision-makers in certain enterprises could benefit from increased awareness of mobile malware, and training on how to combat it.
“Companies that have deployed BYOD, but haven’t focused on security implementation for BYOD, would benefit from this approach,” Marthur says. “Today, enterprises are required to take a practical approach to solving problems, which starts with conducting a risk assessment.
“This would provide the enterprises with the appropriate next steps to minimise risks, helping to address the threats holistically and provide the appropriate justifications for the enterprise to convince management on the next steps.”
Samani adds: “This is an emerging area, and the volume and sophistication of mobile threats are changing all of the time, so even if organisations feel they understand the threat landscape, working with a partner with world-class research is the best way in managing the risk.”
And whilst some organisations may be put off by the potential cost of protecting against mobile malware, they should bear in mind it is not much more expensive than traditional intrusion detection and prevention.
However, costs can vary greatly depending on the extent to which BYOD access is granted, Newman says. “Enabling access just to corporate email, and using an MDM solution to limit access to devices that are only using official apps and meet other key policy requirements, can be very affordable. MDM can be deployed for a similar cost as endpoint anti-virus solutions, for example.”