Stephen Pritchard looks at the problem of mobiles in the enterprise, and will 2016 present any solutions to this consistent problem?
"Mobiles are chaos". This is the unequivocal view of Rob Smith, a research director at Gartner and a longtime observer of the mobile landscape.
"The frequency of updates is unparalleled. There have been 14 versions of iOS in the past year. And if you look at apps, every app update is a new app, every OS update is a new OS. And there are undocumented features with every update."
This contrasts to the more staid and predictable world of personal computers, with its regular rhythm of patches and updates, and OS upgrades that come along just every few years. Phone buyers, by way of contrast, change devices every one to two years, and are motivated mostly by cost.
Mobile devices, though, are essential to business. Gartner, for example, says that 320m PCs were sold in 2015, against 206m smartphones and tablets. The research firm says that over half of households will own a tablet by 2016 across mature markets. In some countries, the figures are already higher: Ofcom, the UK's telecoms regulator, expects three quarters of households to own a tablet at some point during 2016.
The impact on business is clear. Companies need to embrace mobile technology, but many enterprises are only just starting to consider what it means for security.
"We've seen pressure being put on CIOs to ensure a mobile offer. Senior executives have become very used to mobile working themselves, and CIOs see it as a positive direction," says John Skipper, cybersecurity expert at PA consulting, an advisory firm.
"Companies should step back and balance risk and benefits, as with any other technology decision. Because mobile is so ubiquitous, we often don’t think of it in that way."
This ubiquity raises risks, including the loss of corporate data and potentially, mobile devices acting as a path for malware into organizations.
Despite this, the real threat posed by mobile devices is less than clear. The vast growth in mobile use has not, for example, led to an equal increase in mobile malware incidents. Although researchers been uncovering examples of mobile malware since the 1990s, there have not been the large-scale virus outbreaks that have affected PCs. Even so, Verizon, the cellular network, estimates that tens of millions of devices are being compromised every week, most of them on the Android platform.
"Infection rates could be around one per cent, up there at the level with PCs," says PA Consulting's John Skipper. “But the level of danger is may be lower. The top five malware items are targeting the local device, trying to compromise the individual."
This targeting is being driven, experts say, by financial crime and especially by a desire to compromise online banking and other, personal financial transactions.
"There is malware, botnets and other malicious material out there on mobile devices, but so far the volume and scope of the attacks is far less than we have seen targeting traditional desktop platforms," explains George McBride, vice president of the security science practice at Stroz Friedberg.
"But, the infection rates of mobile devices continues to rise with a significant number of attacks targeting users of financial services.”
The hidden risks of mobile
One reason is that the mobile world's diversity – both in hardware and operating systems – has, so far, given it some protection against malware writers. Even though the number of mobile operating systems has fallen over the last few years – and could fall further, with brands such as BlackBerry moving to Android - the PC environment remains far more homogenous.
"It is much easier to email malware and run it on the PC, rather than jailbreak or root a phone. [For the hacker] it’s an ROI discussion. It is easier to get into an average corporate network, than an individual device," say Gartner's Rob Smith.
"There is a greater barrier to entry for potential hackers of mobile devices," agrees Stroz Friedberg's McBride. "It is significantly easier to create malware on and for a PC, than it is for a smartphone or tablet.
"This barrier will continue to erode as toolkits and materials become available to help hackers develop their own malware; and the number of sources of custom developed malware continues to rise.
"But malware writers and hackers want to attack platforms with the greatest footprint. With more and more users using mobile devices such as phones as tablets as their primary computing device, the threats of malware on mobile devices can only go up."
This, then, is the dilemma facing corporate users of mobile devices. As devices become more powerful, and more widespread, so they become more attractive targets to hackers.
Threats on the move
The fact that attacks against mobile devices have, so far, been limited is no reason for complacency, however. As companies access, transfer and even store more key data on mobile devices, the potential damage from targeted attacks increase, as do the risks of hacking groups developing platform-wide malware.
At the corporate level, threats are more likely to be around data theft and data exfiltration than the use of mobile devices to launch large-scale attacks against networks or systems.
"In the immediate future, I don't think we will see mobile devices used as vectors in big denial of service attacks as we see with desktops," suggests Stroz Friedberg's McBride.
Spyware, or possibly ransomware, are viewed as greater risks, as are targeted attacks that go after individuals with access to high-level data, suggests McBride.
Ultimately, the use of personal mobile devices remains a risk, because they are personal.
"Personal devices are a risk to corporates," cautions Doug Davidson, CTO for cybersecurity at IT firm CapGemini. A move by companies away from "bring your own device" policies, and towards greater use of company-owned devices, especially for sensitive data and applications, can reduce the risk.
But it is still vital that organisations, before they look at granting mobile access to core applications and data, understand exactly what they are doing. This should, Davidson says, be part of a wider, strategic approach to mobility.
"You need to go back to the basics," he says. "What type of mobile devices are being demanded by the business? What are current and future mobile requirements? What types of data are being transferred? Which are sensitive, and what data are you sharing with third parties?," he asks. Even email has its risks. "People think it is just messaging. It is not, it is information sharing."
As well as targeted attacks, organizations need to be aware of the value of data that might be carried on mobile devices, including personal devices, and the possible penalties and reputational damage that might follow the loss or theft of a device
For this reason, businesses need a strategy – as well as tactical and technical measures - for managing mobile devices and the applications that connect to them.
Closing the mobile gap
Fortunately, some of the measures organizations can take to protect their mobile users are simple, effective and cheap.
One of the most cost-effective steps is to move towards six or even eight digit passcodes; this protects devices against hacking kits that can bypass four-digit codes and the "10 tries and wipe" functionality in handsets. It is also a measure that users of personal devices can implement, as it protects their own information too.
Businesses with any number of mobile devices are also likely to run a central mobile device management (MDM) application. MDM applications offer rich functionality, but do need to be kept up to date. Some mobile operating system updates have, in the past, disrupted MDM controls, so CISOs should check this before allowing users to update their devices. But MDM does, for example, allow enterprises to control PIN strength and OS updates, as well as more basic features such as remote lock or wipe.
"Firms should use encryption -- many devices encrypt by default -- device management tools, and features like activation lock," says David Rogers, CEO of mobile security analysts Copper Horse. "But the single most effective thing we can do is look at software updates – that can protect people from a lot of malicious activity."
Businesses with larger fleets of mobile devices, and those with active BYOD policies, should also consider separating mobile devices from the core network. Some companies operate mobile devices in a DMZ; others operate separate wireless LANs for personal devices, outside of the firewall.
Encryption, anti-virus, anti-spam and network access control tools are also all vital for mobile security, as is controlling the interface between the mobile subnetwork and the corporate core. Virtualized environments for running sensitive applications on the mobile device are another option CISOs are investigating, albeit one that puts its own demands on device performance.
However, security measures are only as good as the policies and user education programs that support them; this is especially the case for mobiles.
"Even with MDM or BYOD policies in place, employees will find ways to use their mobile devices to make their jobs easier, even by creating ways around controls," says Stroz Friedberg's George McBride. "Companies have a stake in taking charge of mobile systems; it is after all their data or their customers' data that they are responsible for protecting."
"You can't prise smartphones from people's hands. You have to accept risk, it's about degrees of risk. Even with the strongest security measures on iOS and Android, you can't guarantee data is safe," says Gartner's Smith.
"It is a question of best efforts, and making sure an average hacker can't get past them, unless they are specialists in mobile."