As Apple Comes Under Pressure, Why You Need to Lock Down Enterprise Mobility Risk
In opinion / By Phil Muncaster / 06 April 2017
The Apple press office has been in overdrive this past fortnight after major breaking stories threatened to undermine its long-held reputation as a security stalwart. First came the WikiLeaks ‘revelations’ over CIA-developed exploits, and then a London-based hacking collective claimed to have access to hundreds of millions of iCloud accounts. Both have been over-hyped by many of the world’s media. But they should still provide IT bosses with some food for thought.
With cyber threats increasingly migrating to mobile channels, just how secure are your mobile users? Smartphones, tablets and laptops might help boost productivity and business agility, but mobility can also represent a gateway for hackers looking to steal sensitive data or hold mission critical IT systems to ransom.
APPLE UNDER THE HAMMER
At first glance, there’s been plenty of late for Apple users to be worried about. First came the latest WikiLeaks release, apparently showing the CIA had developed secret exploits designed to circumvent iPhone security by infecting “the iPhone supply chain of its targets”. Coming as they do on the back of revelations of wider CIA tampering with mainstream technology products used by many businesses, the allegations will concern IT security bosses worried such exploits could get into the hands of cybercriminals.
However, Apple has since responded that it has already fixed the allegedly targeted vulnerabilities, which in any case related to the prehistoric – in technology terms – iPhone 3G model.
The second big case involves a hacking group known as the “Turkish Crime Family” which is threatening to wipe the devices of hundreds of millions of devices associated with the iCloud accounts it says it can log-in to. The group wants Apple to hand over $100,000 in iTunes gift cards, or $75,000 in crypto-currencies by 7 April or users could lose any data stored on the Cupertino giant’s cloud servers.
Apple has refused to pay up and claims that its systems have not been breached, which has led some to speculate that the hackers could be bluffing. Or if they have access to some iCloud accounts it’s because they were able to gather data from separate breaches – where users have reused passwords across multiple online accounts. The smart move in any case would be to force users to migrate to two-factor authentication and not share passwords across sites.
THREATS ON THE RISE
Beyond the alarmist headlines, there might not be anything of immediate concern to keep IT bosses awake at night. But there’s certainly enough to revisit your mobile security policies and ensure you’re doing all you can to minimise cyber-related risk. After all, new data from Nokia has revealed that monthly smartphone infections grew 83% in the second half of 2016, to an all-time high in October.
According to the GSMA, smartphone penetration stands at around 60-70% across Europe and in UK that figure even higher. Ofcom declared in 2015 the UK is now a smartphone society, and last year eMarketer stats revealed 81% of the country’s population will use the internet regularly via any device. Increasingly this extends into the workplace as organisations look to reap the productivity and business benefits of BYOD. IT departments have no choice but to support the business in allowing such use – otherwise it will go underground in “Shadow IT”, making the practice even harder to police. But they do have a choice in how they control this usage to ensure it doesn’t end up in a data breach or major malware infection.
The truth is that as devices get smarter, more powerful and virtually ubiquitous inside modern companies, they represent an increasing risk to security. A report from the LinkedIn Information Security group last year revealed one in five respondents had suffered a mobile security breach, primarily because of malware and malicious Wi-Fi.
There are numerous ways for your employees’ smart devices to become infected. They could click on a link in a spearphishing email or SMS, downloading malware which could be used to spy on conversations or infiltrate the network and steal sensitive corporate data. They could download malware hidden inside a legitimate-looking app, which ends up infecting corporate systems – perhaps with ransomware. Once inside the network these malware variants encrypt all important files, leaving those who haven’t backed-up recently with little choice but to pay up or lose their data forever.
Or users could fall victim to Man in the Middle attacks by connecting to unsecured public Wi-Fi. There have even been reports from China that cybercriminals are looking to spread info-stealing malware by forcing smartphones in the area to connect to fake base stations. It’s a level of sophistication we’ve not really seen before, but could become increasingly popular as attackers look for bigger and bigger payouts.
The bottom line is that every mobile device connecting to the corporate network is also a possible gateway for the attackers to breach your defences. There may even be data stored on the device itself which could expose your organisation to risk. Device loss and theft has reached epic proportions in the UK, with up to 300,000 smartphones reported stolen to the police each year. It’s pretty safe to say that many of them will also be BYOD handsets.
So what’s the answer? For many smaller businesses with few resources or in-house skills to throw at the problem it could be worth the extra effort in seeking out a trusted third party to help manage this area of risk. Visibility is the first step to gaining control over mobility, so you need tools which will give you granular insight into what’s trying to connect to the company network. Then it’s a case of managing those devices from a centralised console – pushing policies out to groups according to your risk appetite and particular circumstances.
Remote device wipe, passcode lock and resets, software updates, data encryption, web filtering and app whitelisting are all best practice basics which will help improve your baseline mobile security. And with forthcoming European data protection laws set to mandate 72-hour breach notifications and levy huge fines on erring companies, the stakes are about to get even higher from next May.