17 Aug 2016

Complacent Enterprise Mobile Security and Risk Management Systems


According to The Mobile Security and Risk Review 2016 done by MobileIron, enterprises are still underestimating the importance of protecting corporate data from cyber threats on mobile devices and apps. The report found out that only 13% of the enterprises have an enforced OS update policy or mobile threat detection software.

Rather than looking for new vulnerabilities or employing current techniques, mobile attackers often re-use traditional tactics against mobile-specific services, for example, mobile device management (MDM) services attacked by Sidestepper’s use of the man in the middle (MitM) attack. As a result of mobile attacks, both personal and business data face the threat of being lost.

James Plouffe, lead architect at MobileIron stated that the velocity of mobile attacks is inversely related to the protect policy established for enterprise mobility. “This lack of security hygiene demonstrates that enterprises are alarmingly complacent, even when many solutions are readily available.”

In the last six months, at least five mobile attacks have emerged or worsened by record:

  • Android GMBot: This spyware remotely controls infected devices to trick victims into providing their bank credentials.
  • AceDeceiver iOS malware: This malware is specially designed to steal the Apple ID of a person.
  • SideStepper iOS “vulnerability”: This technique was discovered to intercept and manipulate traffic in between an MDM server and a managed device.
  • High-severity OpenSSL issues: These vulnerabilities can potentially impact large numbers of applications and services, which could ultimately jeopardize enterprise data-in-motion.
  • Marcher Android malware: This malware has evolved to mimic bank web pages that trick users into entering their login information through e-commerce websites.

Security incident should not be taken lightly as it leads to the exposure of vulnerabilities and puts enterprise data at risk. Sensitive information, personal particulars and commercial data can be exploited and made public. According to The Mobile Security and Risk Review, in 2016 Q2, 40% of the companies had missing devices, and almost 30% of the policies for mobile security of companies were out-dated.

An unmanaged app can potentially exploit data from customers and enterprises, therefore, the IT department should blacklist the data in the app , which in turn cannot be used anymore. The 10 most consumer unmanaged apps in Q2 2016 are Dropbox, Facebook, Angry Birds, Skype, Line, Box, OneDrive, Google Drive, Twitter, and Evernote.

In regards to the (third-party) managed apps, Salesforce, QuickOffice, Evernote, Breezy, Cisco AnyConnect, Accellion, GoodReader, Cisco Webex, Box, Roambi Analytics are ranked among the top as the most often deployed apps whereas Google Docs, Microsoft Office Suite, Skype for Business and Xora Mobile Worker were dropped from the top 10 list.

Apart from enterprises, government organisation is another big user of mobility services. They should have the most secured mobile solutions, platforms and channels, however, due to the bureaucratic operation, it often extends the approval process which leads to out-dated vulnerabilities for attackers to exploit. In The Mobile Security and Risk Review 2016, government organisations recorded much higher percentages in having non-compliant devices, missing devices, and devices operating under outdated policies compared to the global average for this statistic.

The first step to maintain Enterprise Mobile Management is to gain the user’s trust, however, the IT department should also take enterprise security seriously, as it addresses the possibility of confidential and valuable company data being lost. As employees, EMM security controls should not be removed without the IT deaprtment’s approval. If you have doubt regarding how secured your company mobile platform is, it is the best to consult your mobile solution developer.

More Tips & Trends