Explosion Of Mobile Security Threats Creates Partner Opportunities

More than ever, workers are ditching standard issue corporate devices and relying on personal smartphones and tablets. And organizations are letting them do it.

For the first time, enterprises and SMBs alike are forced to secure and manage an explosion of disparate personal mobile devices now used for business-related functions.

The problem represents a unique challenge for CISOs and IT administrators. They want to keep their workers happy and productive, but as more employees work remotely and work while traveling, these security managers are also tasked with keeping confidential corporate information from walking out the door.

And while the challenge is daunting, it opens up new opportunities in a growing market for security solution providers.

These partners say that the adoption of mobile devices in the workplace provides one more platform to offer and install mobile security solutions such as endpoint protection and encryption, as well as specialized monitoring services, updates and remote device wiping. More and more, they say they're able to provide these services remotely and from one centralized management console.

In addition, the expansion to mobile security considerations offers new opportunities for partners' consulting services, including mobile best practices and use of strong passwords.

"The acceptance of data access from anywhere with any device will eventually be required," said Jason Wingert, executive director at Cincinnati, Ohio-based PCMS Datafit. "The biggest mistake is not taking action now to prevent the security challenges [devices]create."

The new mobile security challenges are unmistakable.

According to a recent Symantec "Consumerization of IT" survey, 63 percent of respondents said their company allows employees to use the smartphones of their choice for work-related activities and 91 percent of respondents said that their company allows employees to use their work-related smartphones for personal use as well as business-related tasks. However, only 51 percent said that their employer has communicated policies and/or best practices to them regarding the security of their smartphones.

The biggest mobile threats continue to be accidental data loss. "The most common security problems on mobile devices continue to be the mundane ones, losing your phone, having it stolen or dropping it in a lake. Good backups are always the first thing to worry about," said Mikko Hypponen, chief research officer at F-Secure.

Experts say the biggest headache for enterprise organizations is managing and supporting the explosion of disparate mobile devices used in the workplace -- a monumental task that often includes being able to control and access information, inventory the devices, apply policies, add and delete e-mail account, as well as secure the information on the devices.

"Today, the issue is really management. It's being able to say yes to these devices and determining what they're saying yes to," said John Engels, principle group product manager of enterprise mobility at Symantec . "What are they going to do when people leave the organization? That's where mobile management seems to be the critical point for many customers."

Thus far, mobile malware still represents just a fraction of the total of PC malware. Tim Armstrong, malware researcher at Kaspersky Lab , said that researchers detect around 40,000 pieces of PC malware per day, compared to the 4,000 total pieces of mobile malware that are currently circulating on the Internet.

However, data loss due to mobile malware poses a salient and growing threat, while mobile security attacks are accelerating, in part due to the fact that mobile devices are more susceptible to loss and theft, and, unlike PCs, remain largely unsecured, experts say.

"Compared to the PC market, where almost every PC user has a security program installed, the use of security applications in mobile devices is not widespread. Thus, although the threat posed by malware to the mobile handset is likely to be less, the need for protection will be driven by the threat of data loss and theft," said Nitin Bhas, research analyst at Juniper Research. "Most enterprise-owned devices have access to corporate networks and data. This is proving to be the biggest potential threat vector."

Next: Customer Concerns

Wingert said his customers are becoming increasingly concerned with security threats from mobile devices.

"The mobile security issue is not new, it's just growing. We have seen limited movement to even encrypt the data passed through on laptops and mobile storage, so the threat we have now has expanded and made it easier to provide points of attack," he said. "Many threats are now being tailored to mobile devices due to their lack of the levels of security normally in place. Simple theft of an unlocked device could be enough to access corporate personal information that could be used for a variety of different things."

The threats are particularly pervasive on the Android platform, which Google has intentionally left open with limited, if any, regulation, experts say. While Android's openness has fostered creativity for developers, it also leaves a gaping security hole for malware authors wanting to spread malicious code rapidly on the popular platform to a large number of users.

"The reason it's becoming an actual threat is the explosion of Android and its popularity versus all the other platforms," said Armstrong. "The Android model is very open. The Android market is kind of the 'Wild West.' There's no code review and the other thing is, you can get apps from other places."

Google recently has been held to task for its lack of scrutiny for developers on Android applications, and has lately promised to harden the platform. The search giant is in the process of rolling out a server-side patch for a ClientLogin authentication vulnerability occurring in the way the operating system handles its authentication process. The glitch, which affects 97 percent of Android devices, could allow hackers to launch impersonation attacks on users via Google Calendar, Contacts and a myriad other Web services.

F-Secure's Hypponen said a big shift to Android and other mobile-based attacks would likely not happen until Windows XP platform declines in popularity.

But Google's recent security measures might be a day late and a dollar short in preventing crops of complex data-stealing malware from springing up on Android, experts say. The operating system has already experienced a 400 percent spike in mobile malware since the summer of 2010, according to a Juniper Network Global Threat Center report, "Malicious Mobile Threats Report 2010/2011." Among other things, the latest versions of the mobile malware contain sophisticated root privilege exploits that possess the ability to collect and send any data stored on a user's mobile smart phone to a remote server.

"Google gives these apps away for free with a lot of sourcecode," said Robert McMillen, president of Portland, Ore.-based All Tech 1, a security solution provider. "The specialized pieces of malware are pushed out to people's phones. Apple is criticized for having a locked down system, but it does help keep these threats from happening."

Next: Partners Find Opportunities To Secure Mobile Environments

Meanwhile, the growing threats are compounded by users' lack of understanding of the problem. "There is the lack of awareness that threats exist at all on mobile devices. People are using mobile devices just assume that they're impenetrable," Armstrong said.

Security solution providers said they've seen an increasing number of attacks targeting mobile platforms. McMillen said that he's seen an attack that sends a text message and sends a malicious payload to users once they respond.

These issues open up huge opportunities for solution providers to harden the devices with antimalware and mobile security solutions that wipe devices if they're lost or stolen.

Wingert said that PCMS is focusing on deploying mobile security solutions and providing IT service divisions, equipping customers with information in order to take action on a variety of mobile issues.

The company has increasingly focused on performing standard security functions applied to the mobile platform. To resolve security and management problems for their customers, PCMS has added comprehensive mobile security software to its portfolio to manage endpoints and protect data from a centralized console.

In addition, the explosion of mobile devices has opened up avenues to virtualize applications to keep them in-house, as well as secure Web portals from threats, Wingert said.

The growing mobile trend has also facilitated more opportunities for consulting and best practice education services, especially ones that govern passwords, partners say.

"Awareness is the key issue -- bringing the issue to the forefront for those that have to manage data protection and security for their respective companies. Many have not considered the impact, and those that have, would rather restrict their use then enable it," Wingert said.

McMillen said All Tech 1, for example, helps their SMB and lower midmarket customers create mobile security plans tailored to their environment. Among other things, the plan entails the knowledge and use of higher-end passwords, as well as installing security software onto their smartphones and tablets.

In addition, the All Tech 1 provides security software installation and monitoring services on all their customers' mobile device, complete with a weekly status check for all their customers' devices, and retaining the ability to remotely wipe the devices of all data if they become compromised.

The company is also available on-call, should their customers have any issues, whether theyr'e malware or a simple hardware connectivity issue.

"Users are moving away from desktop PCs. More businesses are using tablets and smartphones. It closes one door but opens another. The threats to open devices like Androids really turn this into the Wild West. We don't know what we don't know. It's just too new," McMillen said. "If you don't have a mobile security plan, you might as well throw out all those mobile devices and go back to your desktop."

Ultimately, solution providers say it's up to the channel to prepare businesses for impending mobile revolution.

"If you embrace this early, when you're in the initial stages, if you got in on the front end, then you will be the expert when this explodes," McMillen said. "We're trying to be the experts when it's still the Wild West. We want to be the ones the bigger companies look to for advice."