I recently had a conversation with someone about BYOD and security. He told me that he thought that enterprise was having BYOD fatigue and there was a growing attitude that its security problems were overblown. This person wasn’t alone in his feelings. I had read some articles and heard others repeat similar complaints about BYOD. Perhaps mobile devices weren’t as bad of a security issue as once thought?
Or maybe the threats are even worse than we realized. Some recent studies show just how much of a security risk mobile devices have become within the workplace, and this carries over into BYOD security risks as well.
First, a study conducted by Alcatel-Lucent's Motive Security Labs found that mobile malware has increased by 25 percent in 2014, and 16 million devices – mostly Androids but not exclusively – are infected. For the first time, we’re seeing infection rates of mobile devices that rival those on Windows computers. Out of the top 20 threats, six of them involved spyware meant to track location and monitor the user’s communications. The reason for all this malware, according to an eSecurity Planet article, comes down to the device owner:
The growth of mobile malware, according to the report, is aided by the fact that few device owners take appropriate security precautions -- 65 percent of users expect their service provider to protect their devices for them.
What this means for businesses is that a lot of employees are sharing work data on devices that are probably not secure.
A second study, this one from Check Point and Lacoon, also looked at mobile malware, focusing on commercial mobile surveillance kits or mobile remote access Trojans (mRATs). As the study pointed out, while mRATs are often used as child monitoring services, they can be manipulated for malicious uses, too:
When used maliciously, commercial mRATs can allow potential attackers to steal sensitive information from a device. They can take control of the different sensors to execute keylogging, steal messages, turn on video camera, and more. Essentially, attackers can target an enterprise and extract sensitive information from its employees’ mobile devices — all without their knowledge.
BetaNews also reported on enterprises being targeted by mobile Trojans and the results of the Check Point survey. According to the story:
[The study] points out that attacks on organizations are clustered. Attackers choose certain large organizations and attack multiple targets inside them, as opposed to just attacking corporate employees of random organizations.
In this case, Android is better equipped to fight this type of malware attack than iOS because of the anti-malware applications offered through the OS.
As long as mobile malware continues to increase, BYOD security is going to be a problem for businesses. If there really is such a thing as BYOD fatigue, we’d better get rest fast because there could be a long fight ahead.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba