Coming to Terms with the Mobile Security Paradox
One of the great paradoxes of IT security is that the major shift away from PCs in favor of mobile computing devices actually translates to less malware circulating on corporate networks now than ever. In fact, Enterprise Strategy Group (ESG) recently issued a report that finds the sheer volume of malware being generated dropped 47.3 percent in the first half of 2016.
The simple truth is that more end users actually feel more secure using mobile computing devices from, for example, Apple than they do Windows PCs. The assumption is that the providers of the mobile computing devices are working closely with carriers to protect the applications running on these devices. In reality, it turns out mobile computing devices are just as vulnerable as any other.
This week it was discovered that a vulnerability in Apple devices makes it possible to steal passwords by exploiting flaws in ImageIO, a programming interface that reads and writes image data. A criminal can send a multimedia message in a TIFF, JPEG or PNG format that is embedded with malware. It’s not clear whether or not anyone has used this exploit yet to inject malware in an Apple device. But the vulnerability potentially affects millions of Apple devices. Apple reported that it has corrected the flaw via patches to its operating systems.
Of course, the reasons more attention to mobile security isn’t being paid is because of a fear that end users would consider such efforts to be true intrusive. A survey of 1,000 business executives released this week by Blackberry Limited finds that while 73 percent of organizations have a mobile security strategy in place, only three percent say they have implemented the highest levels of security possible. A full 82 percent of the surveyed executives admit mobile security precautions cause at least some frustration among employees and 44 percent are concerned that too much mobile security will prevent employees from doing their job.
The tension between security and productivity has always existed. As a general rule, productivity almost always wins out. What’s changed, however, is that criminals are getting better at identifying high value targets. Rather than flooding the Internet with malware in a hit or miss proposition that can be more easily thwarted and more easily traced, criminals are discovering that it’s a lot more financially rewarding to target specific end users with, for example, ransomware attacks.
It's safe to assume that criminals are now spending a lot time and effort figuring out how to crack mobile security defenses. As usage of these devices has increased, the number of Windows PCs that can be exploited is clearly declining. The only way for criminals to continue to make cybercrime pay is to focus on mobile computing devices that are now most commonly used to read email and visit web pages. It doesn’t take much these days for a file loaded with malware to hop from a mobile computing device on to a Windows PCs and then propagate itself throughout the rest of the corporate network. Arguably, the reason mobile security as a whole hasn’t become a bigger problem just yet has a lot more to do with being lucky than smart.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot.Mike also blogs about emerging cloud technology for Intronis MSP Solutions by Barracuda.