If monitoring physical access and corporate networks wasn't enough of a headache, companies now have to contend with mobile and personal devices increasingly being used within, and outside, the workplace.
This is becoming a major worry for local companies, with the IDC expecting the smartphone market to expand by nearly 50% this year, and account for almost one in five handsets sold on the continent.
While smarphones have brought increasing flexibility and convenience, they've also opened the door to a whole host of security risks - ones that are often beyond a business' control.
Jacques Malan, director of cyber forensics firm Facts Consulting, says the unrestrained use of corporate mobile devices is becoming a major problem in SA.
“It's out of control. Technologies are merging into one big pool with no appreciation for the risks involved.”
These days, criminals don't even have to hack a company network; they can hang around a hotel room where executives are using the WiFi and get hold of information, says Malan.
The risk rate will remain high until the technologies and methodologies to protect devices have evolved, he adds. While mobile anti-virus and firewalls are available, few companies have implemented a comprehensive security policy for mobile devices.
“Awareness is critical,” says Malan. “It comes down to basic information security principles but many people still don't take it seriously.”
He notes that smartphone users are often completely oblivious to the vulnerability of their devices, with unsecured systems being treated like trusted ones.
“It's going to have a profound effect on virtually every aspect of a company, from policies to the IT architecture. Businesses have to cater for a whole new kind of risk.”
Malan adds that the iPad is a corporate disaster waiting to happen. “Every second CEO has one, and it's frightening what they carry around on these devices - often with little or no security.”
Apart from applying best practices, companies should make sure to adopt technology only if they truly need it, not just because they can, says Malan. “The less you have, the less risk you have.”
In its annual threat analysis report, Symantec identified smartphones and social networks as the new favourites for spreading malicious code. Known vulnerabilities in mobile operating systems rose from 115 in 2009 to 163 in 2010, it reported.
In several cases, the security holes were exploited and used to install harmful software on Android handsets, which suggests criminals now view smartphone hacking as a potentially lucrative exercise.
According to Symantec, Facebook, Twitter and Android users are particularly vulnerable.
In its Q4 threats report last year, McAfee revealed a 46% rise in cases of new mobile malware, compared with 2009. “As more and more users access the Internet from an ever-expanding pool of devices - computer, tablet, smartphone or Internet TV - Web-based threats will continue to grow in size and sophistication,” the company said.
McAfee's report showed that some of the most common applications hackers target included Adobe software such as PDF and Flash, which have become more popular on mobile platforms.
In February this year, IT security company Sophos brought out a data protection solution specifically for mobile, in response to increased concerns around securing mobile devices.
Sophos quoted recent research from Forrester, showing smartphone security is the leading concern among IT executives. Of those polled, 75% said they were either concerned or very concerned about the security risks associated with the adoption of these devices.
“Companies are faced with an unprecedented challenge of allowing consumer devices that they may not own to access company data, while still giving employees control and use of their devices,“ said Brett Myroff, CEO of Sophos SA, in a release.
“The very notion of what defines a company endpoint has become redefined.”
Paranoid Android
Security firms globally are warning about the vulnerability of Android in particular, thanks to its growing popularity (Gartner expects it to be the number one OS in the world by 2014).
Data security company Imperva's Application Defence Centre recently revealed how hackers use Android applications to infect users and make money via premium-rate text messages. It points out that Android is becoming the largest app store in terms of the number of applications - something hackers are using to their advantage.
At the ITWeb Security Summit earlier this month, security researcher Nils from MWR Labs demonstrated how a phone running Android could be turned into a remote recording device.
He revealed vulnerabilities that allow criminals to access the phone's systems without the user's knowledge, via the phone's Web browser, and listen to and record everything they're saying.
In an environment where senior executives are never without their smartphones, meeting in the most secure of settings wouldn't guard against the potential leak in their pocket.
Nils said it raises fundamental questions about whether vendors are giving enough consideration to security as they race to release new phones and systems.
He added that while MWR had brought these flaws to the attention of manufacturers, many had been less than responsive.
“The main problem with Android in a business phone is that it can be controlled from the outside,” he said. Not something most CIOs would want to hear.
Share