6 myths about enterprise mobile security
You can't talk enterprise security these days without talking about smartphones. Mobile devices are as crucial to the modern workplace as traditional computers—but with their extreme portability and near-constant connectivity, they pose plenty of concerns that aren't present in regular laptops and desktops.
For every valid gripe you hear about smartphone security and the enterprise, though, there's a misguided notion—an erroneous axiom based on outdated information or faulty assumptions.
The importance of enterprise mobile security can't be overstated: According to Deloitte, Americans use their phones at work more than anywhere else. And yet nearly a quarter of all smartphone owners don't utilize any method of protection—a fingerprint or even just a PIN or password—to keep their devices secure.
But it's not all bad news. So let's separate fact from fiction. Here are six common mobile security beliefs you can safely file away in your mental "myth" folder.
Myth No. 1: Mobile devices are less secure than laptops or desktops
IT pros have been working to keep traditional computers secure for ages now, so it's no wonder there's a common perception that our less-established and more nomadic mobile devices are inherently more dangerous. From the potential for smartphones to get stolen to fears of hacking, you could give yourself a migraine thinking of all the ways your pocket-sized tech could turn problematic.
The reality, though, is a different story. Recent surveys by the SANS Institute indicate desktops and laptops have been responsible for well over three-quarters of enterprise-based endpoint breaches over the past two years.
"The desktop and laptop can be of more utility to hackers," says Michael Kaiser, executive director of the National Cyber Security Alliance. "A lot of the hacking that's done has been built around software and programs to infect that environment."
Take, for instance, the WannaCry attack. The ransomware infects Windows PCs by taking advantage of an OS-level flaw—and, crucially, it then travels quickly across corporate networks to spread to other computers. The bug scrambles each system's local data and demands a ransom in order for the info to be unlocked. This sort of desktop-specific attack is growing increasingly sophisticated and common: Security company Symantec says it saw a 36 percent spike in ransomware infections from 2015 to 2016, with a whopping 463,841 detected instances over the course of the last year.
Remember, too, that while smartphones may ostensibly seem more easily misplaced than full-size computers, pretty much every contemporary phone now ships with a reliable native system for remote tracking and wiping. With both iOS and Android, it's simply a matter of opening a website (or an app, if you have another device handy) and then following a few prompts to pinpoint a phone's last known location and optionally erase its contents from afar.
The same can't be said for laptops, which don't generally have on-board GPS and require third-party systems to be installed for any sort of remote tracking and wiping capability. Phones also tend to have much smaller amounts of locally stored data than their traditional computing counterparts, which logically makes them a less effective target. Sure, it's possible to store sensitive info on a 32 GB or 128 GB memory chip, but the amount of data kept on a phone at any given moment is almost always significantly less than what's kept on a full-size PC.
The latest from Ponemon — 2016 Cost of Cyber Crime Study & the Risk of Business Innovation
Myth No. 2: Android isn't a serious option for enterprise adoption
Apple's iPhone is seen by many as the de facto standard for secure business use—and at some point, that may have been an accurate assessment. Nowadays, though, Google's Android software offers a rich array of enterprise-targeted tools, and the platform appears to be not only ready for business use, but it also owns a majority of the commercial market.
According to IDC, Android accounted for 66.7 percent of global commercial smartphone shipments in the first quarter of 2017. That's up around 9 percent from its position in the first quarter of 2016 at 61 percent.
Apple's iOS lost share over the course of that same period: iPhones were responsible for 32.3 percent of commercial shipments in the first quarter of 2017, down about 7 percent from their Q1 2016 level of 34.6 percent.
Android is the only smartphone OS that experienced growth during that 12-month window. BlackBerry dropped from a barely-on-the-map 0.9 percent mark at the start of 2016 to 0.2 percent in 2017. The story's even worse for the Windows Phone, which plummeted from 2.6 percent in 2016 to a mere 0.5 percent in 2017. And the catch-all category of "other" fell from 0.9 percent to 0.4 percent in that same span (sorry, Tizen).
IDC defines "commercial" purchases as devices bought by enterprises of any size—either directly with corporate funds or via employee purchases with subsequent reimbursements. It's worth noting, too, that these figures are specific to smartphones, whereas other market share assessments often include tablets, an area where Android devices have never been competitive.
Myth No. 3: Malware is a major real-world problem on Android
Android malware is a subject in and of itself. It's a constant area of discussion and coverage, and almost everything you read is based on sensational info and a broad misunderstanding of how security on the platform actually works.
Given the breathless coverage any cry of "Android malware" tends to generate, it's no surprise the platform has the perception of being a virus-ridden wasteland:
"'Quadrooter' Flaw Affects Over 900 Million Android Phones"! (No, it didn't.)
"'Lockdroid' Ransomware Can Lock Smartphones, Erase Data"! (Not exactly.)
"Five Million Android Users Might Have Fallen Victim to Another Malware Attack"! (Yeah, not so much.)
The truth, though—as I've learned from years of closely covering the mobile space—is that Android malware is by and large a purely theoretical problem.
When you stop and look closely at the reported threats, they almost always share a few telling characteristics:
- The reports originate from a company that sells antivirus software for Android.
- The malware in question hasn't affected any normal users in the real world.
- The warnings ignore the fact that in all likelihood, Android's own built-in multilayered security system would prevent the vast majority of people from ever being impacted.
These points are critical to keep in mind when considering any purported Android malware emergence. Unless you go out of your way to find shady, unofficial sources for apps, and for some reason manually disable all of your phone's built-in safeguards, your odds of contracting malware on Android are exceptionally low—lower even than your odds of getting struck by lightning, according to one security firm's analysis.
For all the talk of malware on Android, you rarely hear about security threats to iOS devices. Apple's closely controlled approach in which apps must go through a manual approval process and no third-party manufacturers are permitted to create devices and thus maintain software on the platform has kept iPhone-targeting viruses to a minimum. However, the idea that they're entirely absent on the platform isn't based in reality.
Last March, for instance, a security research firm found evidence of a bug that could infect regular iPhones and unwittingly redirect users to a credential-stealing third-party app store. The bug never had the potential to affect anyone in the United States, and it required downloading and installing a specific Windows program before any attack could take place.
An exploit publicized last August, meanwhile, forced Apple to issue an OS-level patch for protection. Dubbed Pegasus, the infection was said to be able to use software vulnerabilities to steal all sorts of data and remotely record through a device's camera, microphone, and GPS system. A user would have had to click on a link in a message before anything could happen, though, and Apple's fix prevented that from even being a possibility.
Just like on Android, a little common sense goes a long way.
Most people hear the word Android and think of Samsung's Galaxy phones—by far the most popular devices on the platform. But Android itself is an open source operating system used by dozens of manufacturers, and the resulting products vary in one consistently understated way: Some of them get timely and reliable software updates, but most of them don't.
I've been tracking phone manufacturer performance with Android upgrades for years now, and the results are eye-opening. In short, outside of Google itself (with its own Nexus and now Pixel phones), no Android manufacturer makes OS updates a meaningful priority. Samsung, in fact, is among the worst at getting updates into customers' hands. The likely explanation isn't anything technical, either; it's arguably all about business.
The state of the smaller monthly security patches is still a bit murky, but Google's latest publicly released info suggests there's plenty of inconsistency on that front as well.
Google has made OS updates less critical by pulling core pieces out of the operating system and treating them instead as easily updatable stand-alone apps— but that's only a partial fix. If you want to rest easy knowing you'll always have all the latest software and security fixes for your company's Android devices, Google's own self-made and supported phones are the only way to go.
It's easy to blame the distant din of evil-doers for all our security woes, but for most businesses, the bigger threat is something far closer to home.
Yup, you guessed it: Employee naivete, carelessness, and disregard for security practices top the list of endpoint device risk for most enterprises. A 2016 survey by the Ponemon Institute found that while IT pros are increasingly worried about external intrusions, negligent workers are by far the greatest challenge to effective security—regardless of the type of device involved.
The SANS Institute narrowed it down even further: In its most recent Endpoint Security Survey, the organization identified browser-based attacks and social engineering as the most pressing threats to enterprise security.
"These attacks are especially notable because they are directed at users rather than technology," notes G. W. Ray Davidson, a security analyst and author of the SANS Institute report.
So what's the answer? According to Davidson, a combination of ongoing user education and "continuous monitoring" of activity is the best line of defense. Users need to be reminded of the importance of encryption, strong on-device security (ideally including two-factor authentication), and active virtual private network use as well as the danger of clicking questionable links or providing information to unverifiable sources. And IT managers need to develop methods for making sure those lessons stick.
"We may need to broaden the definition of endpoint to include the user," Davidson warns.
In the end, whether we're talking about smartphones, laptops, or any other type of technology, effective security essentially comes down to smart management—and that, dear readers, is no myth.
This article/content was written by the individual writer identified and does not necessarily reflect the view of Hewlett Packard Enterprise Company.