As people use their mobile devices as what one friend used to call a “pocket super computer” as opposed to something where you dial 7 digits (remember that) and talk to someone, hackers have figured out that the new attack vector is your phone.
In part, this is due to the fact that finally, after 20 years of trying, Apple and Microsoft have significantly improved the security of their operating systems, making the hacker’s job more difficult (lets ignore for the moment that people are not very good about applying patches).
When it comes to phones and security, we are at roughly the same point we were with Windows computers in say 1995 or so. That is not very comforting.
For example, when was the last time you patched your phone?
In fact, DO YOU KNOW FOR SURE if there are patches available for your phone on a regular – monthly – basis?
For most iPhone users, Apple does provide patches for the operating system BUT NOT FOR THE APPLICATIONS THAT RUN ON IT. And not for old iPhones.
For Android users, it is a much more complicated situation that splits the job between Google, the phone manufacturer (such as LG or Samsung or 100 other vendors) and the carrier. With one exception – Google provides patches directly to phones for Google branded phones.
According to a new Verizon report, one in three organizations ADMITTED that they suffered a compromise due to a mobile device. That is up five percent since last year. And probably highly underreported.
Mobile devices are susceptible to many of the same attacks as Windows and Macs as well as a whole host of special mobile attacks. And, no, Linux users are not in the clear. Remember that the Android kernel is basically Linux and the iPhone OS is basically BSD Unix on top of a Mach kernel, so all phones are Linux cousins and other relatives.
And here is an interesting tidbit – OVER 80 percent of organizations BELIEVE their protections are either effective or very effective, even though less than 12 percent had implemented all basic protections: Encrypting data on public networks, changing default passwords, REGULARLY testing security systems and restricting access based on a need to know.
80% of the companies said they could spot a problem quickly. Only problem is that 63% of the problems were found by customers.
Okay, so now that we have a kind of “state of the phone security union”, what should you do?
First, you should create a policy regarding mobile device security.
Part of that policy needs to include what mobile devices are allowed to access corporate data (for example, only phones which are running a currently supported operating system) and what happens if the mobile device does not meet those requirements.
Then you need to decide how you are going to enforce the rules – software generically called mobile device management (MDM) is the most efficient way to do that and there are many vendors of MDM software.
Next you need to set up the people and the processes to make this work from now forward. (If you need help with this, contact us).
Not simple, not easy, but absolutely necessary. Sorry.
Some information for this post came from CSO.