Employees bringing newly purchased smartphones and tablets into the office could present a gift for hackers.
According to EY, 84 per cent of companies consider mobile security a medium/high priority area, but only 41 per cent indicated they will increase their spending in covering the threat. The consultancy warned that with millions of pounds spent on gadgets over the Christmas and New Year period, companies with poorly protected networks or without Bring Your Own Device (BYOD) policies could unwittingly be allowing hackers to access their systems by targeting employees’ devices.
Massimo Cotrozzi, Director, Cybercrime Investigations at EY, comments: “We are only in the first few days of 2015, but weare already seeing issues with companies leaving themselves exposed to this phenomenon.
“The new smart mobile/tablet and wearable tech that employees bring into the office could be now connecting via the corporate wireless networks to external cloud systems which, in the best case, have not been appropriately protected, let alone tested.”
Jahmel Harris, Security Consultant at MWR, told IT Security Guru that even though the devices are new, it doesn’t always mean that they carry the latest software. “A review by Bluebox of sub $100 tablets in 2014 showed that many of them are shipped with old and vulnerable versions of Android, security backdoors and mis-configuration,” he said.
“With BYOD, these devices can easily make it into offices dealing with sensitive information and, due to the fragmentation of Android, providing sign-off for one type of device does not necessarily mean other devices will be configured in the same way. With any BYOD environment, care should be made to perform checks on devices, where the OS version, installed apps and root status are checked first.
“The security impact of these devices are not always known and there is not always off the shelf solutions to support them in a secure way. Wearables pose a particular risk as they are so integrated in mobile devices which will be used in BYOD environments.”
Alex Marsden from Phish’d by MWR InfoSecurity, said: “BYOD brings with it a plethora of security issues including password policy, anti-virus and downloads. One big concern is people bringing their own devices into work and connecting to corporate networks – people can open a spam email or simple phishing email on their device and it then compromises the network it is connected to.
“Companies need to make BYOD policy tighter where appropriate and ensure users are aware tha
t emails on either their corporate email or personal mobile are vulnerable to phishing- increased general awareness to phishing is key here. There is a tendency with BYOD to point the finger at the end-user, however this is not a ‘careless user’ issue alone, it is a corporate responsibility and will only increase.”
Asked if the 41 per cent figure shows that existing BYOD policies and black/whitelisting does actually work for the majority of businesses, Harris said: “With enough time, an attacker can bypass most attempts of blacklisting and poorly configured whitelists, so companies should have policies and practices in place to deal with what should be thought of as inevitable breaches.
“This includes monitored logs, the ability to wipe devices if they are lost, stolen or compromised and figuring out where the businesses high risk assets are. These high risk assets should have additional security controls in place, meaning a breach of a mobile device does not necessarily put the company at further risk that that accepted when implementing a BYOD policy.”
Commenting, Russ Spitler, VP of product strategy at AlienVault, said: “From a hacker’s perspective, a mobile device is still most easily monetized by sending SMS to pay numbers or harvesting email lists for spammers; the act of using it to then pivot into the local network and compromise a business is restricted to government actors, not broad based attacks.
“After this Christmas people will return with their mobile devices and businesses will be just fine, some of those people will be silly enough to download ‘free’ screen saver apps that send text messages in the background and steal their friends’ email addresses, but that will have no affect on the businesses the people work for.”