A couple of weeks ago McAfee, Intel’s security arm, which has a vested interest in mobile security, reported that mobile threats are on the rise, highlighted by a 35% growth rate in Android-based malware. “The mobile cybercrime landscape is becoming more defined as cybergangs determine which tactics are most effective and profitable,” said Vincent Weafer, senior vice president, McAfee Labs.
“Endpoint protection isn’t what it used to be,” said Adam Stein, Senior Director, Mobile Product Marketing, SAP Afaria, in a recent interview with IT Trends & Analysis. According to SAP, McAfee and Juniper Networks reported an increase in mobile malware attacks of 614% year-over-year and an increase of attacks coming from free mobile apps, specifically.
There are so many different attack vectors, so many varied ways that mobile content can be attacked, he said. “It’s not just BYOD, it’s BYOX — applications, content and devices.”
It’s a mobility-driven world, or a target-rich environment, depending upon your viewpoint. Smartphone shipments reached almost 200 million in the first quarter of 2013, a year-over-year increase of 30% (Juniper Research). Tablet shipments fell 9.7% in the second quarter, but the 45.1 million units shipped was up 59.6% from the same quarter in 2012 (IDC).
IBM, which just acquired Trusteer, a software developer that helps protect against financial fraud and advanced security threats, said of the top 25 US financial institutions, half are offering mobile person-to-person transfers and mobile remote deposit capabilities, a figure that has more than doubled since 2011. This is putting the mobile channel in the crosshairs of account takeover attacks.
While internal threats – human errors and system problems – contribute significantly to data breaches (64%), the total cost per data breach incident was $5.4 million. Malicious or criminal attacks cause 37%t of data breaches and are the most costly data breach incidents.
Current enterprise security is based upon disjointed organizations, manual processes, and an army of disconnected point tools, wrote Enterprise Strategy Group’s Jon Oltsik in a recent blog. Senior Principal Analyst and the founder of the firm’s Information Security and Networking services, he said this security is functional but no match for IT complexity or the volume and sophistication of cybersecurity threats.
‘In lieu of some catastrophic cyber event, the current enterprise security model is experiencing “death by a thousand cuts.” The cuts are simply getting more abundant and deeper.’ Enterprises need a vast improvement in security analytics, automation, efficacy, integration, and intelligence soon, he noted.
A recent ESG survey found a pressing need to improve endpoint visibility for information security. According to the findings, 30% of 315 security professionals working at enterprise organizations (i.e., more than 1,000 employees) were unsure about “applications installed on each device,” 19% had difficulty monitoring “downloads/execution of suspicious code,” 12% struggled when tracking, “suspicious/malicious network activity,” and 11% had a hard time tracking “current patch levels.”
Mobile security is really complicated, especially throwing in Shadow IT and consumerization, said Stein, requiring a holistic approach to securing applications, content and devices. Mobile security represents a conundrum, he said. “It’s not just technology, but policies; not just BYOD, but BYOX.”
Mobile security goes up and down the organization. “Security isn’t just a one and done.” It’s not just a technology decision, it’s a business decision too, said Stein.
Three factors have changed in regards to security, he said. Defense in depth must now deal with a much broader spectrum of issues; people are using mobile access significantly more than in the past; and there is a much more diverse type of computing base, with more operating systems to be covered.