The Sony hack is the talk of the town these days but just a couple of weeks back CIOs, CSOs and IT managers around the world awoke to alarming news of the largest retail data breach in U.S. history (at least 56 million credit card numbers stolen from Home Depot). In a knee-jerk reaction to the data breach, the Home Depot security team distributed a few MacBooks and iPhones to executives for business continuity. The belief was that while Android is known to have malware, its OK to install whatever you want on iOS, with Apple’s “walled-garden” architecture. The Truth is that not even iOS guarantees mobile security, as there are many “Next gen” sleeping giants out there for mobile operating systems. A few of them were discovered in the past few weeks.
According to a recent Spiceworks survey, while 98% of IT leaders are concerned about the potential security impacts of mobile devices in the workplace, fewer than half of respondents reported that their companies were using or planning to use mobile security software in the next year. However, it is critical that companies align their mobile security plans with the emerging reality.
A Next Gen Example: WireLurker Attack
WireLurker, a malware discovered within the past quarter, challenges some thoughts traditionally held among many IT community.
- Myth 1: I have an MDM solution, so I am fine. Incorrect - MDMs are great for managing devices but not as good at securing them. WireLurker is capable of hiding Mac OS X apps and transferring onto iOS devices when you connect the Mac and iOS device..
- Myth 2: iOS devices aren’t susceptible to malware that attacks Android and Windows devices. Incorrect - WireLurker has targeted iOS devices in places such as China
- Myth 3: If employees don’t jailbreak their devices, our company is secure. Incorrect - WireLurker impacts ALL devices, whether jailbroken or not
- Myth 4: The only way to get a malicious app on an iOS device is through the Apple app store Incorrect - WireLurker can target iOS devices via USB
Five Ways to Avoid Next-Gen Attacks
Companies are under tremendous pressure to protect their data. Here are a five ways that IT departments can stay in control of mobile security:
- Involve other people and other teams: Like any other security solution, mobile security is also a combination of the 3 P’s (Product, People and Processes); ignoring any one of the P’s can defeat the overall initiative.
- Increase visibility: Get visibility into everything that is happening on mobile devices without compromising user privacy. Intelligently differentiate between personal and work activity and apply appropriate policies.
- Separate Mobile Security and MDM: Mobile management and mobile security are not the same; address and lock down both of them
- Think across heterogeneous OS: Mobile security solutions should reach across both Android and iOS – iOS hackers are addressing a bigger footprint and may be more motivated, but both platforms must be addressed.
- Keep Things Simple: Complicated solutions, such as those relying on containerization tend to be less user-friendly and prone to user error and negligence and may turn into disregarded and ineffective “shelfware”
About our guest blogger: Varun Kohli is a tech blogger and Vice President of Marketing at Skycure. He has held executive/leadership positions in marketing, product management and product development at both startups and large companies, and is on the advisory board of many startups. He looks forward to bringing you more mobile security news and tips, as well as IT best practices in future blogs.
Varun: @vk_is