Businesses have been lax to implement defence mechanisms against malware on mobile devices, despite the acceleration of the ‘bring-your-own-device’ (BYOD) trend in the workplace.
Addressing attendees at the Australian Information Security Association (AISA) 2011 conference in Sydney, Lumension security and forensics analyst, Paul Henry, said the trend of staff bringing their own iPhone or Android device to work and plugging it into the corporate network was presenting a significant threat.
“It is absolutely creating a huge problem and we’re not finding a great deal being done from a defensive perspective yet regarding those devices,” he said.
“The bottom line for me is if you don’t get control of those mobile devices they will absolutely get control of you.”
The amount of malware on mobile platforms has experienced a “tremendous” increase, Henry said, going from Symbian as the primary malware target a couple of years ago, to Apple which has since “been hammered” by Android.
“Apple for all of its faults did get one thing right, they’re whitelisting the applications that you’re downloading onto your Apple iPhone, they will actually look at the code and if they don’t like something they’re not going to allow it into the store,” he said. “How much checking is done on an Android application before it’s loaded up on the Android marketplace? Zero, nothing whatsoever.”
According to Henry, the Android is “like the wild, wild west” with anyone being able to develop an application and load it up to the marketplace without being checked.
“It really is the same old song and dance, just like any other malicious intent that we’ve seen on the net, it starts out initially as an annoyance just trying to aggravate you a little bit, as soon as the bad guys realise ‘well hey, we can make money with this’, it really does take off.”
Android phone users are 2.5 times more likely to run into malicious websites than they were six months ago, he said, with 30 per cent of Android users this year likely to encounter Web-based threats such as phishing scams, drive-by downloads and browser exploits.
“We’re reaching that point now with our mobile phones and devices, as soon as we started doing our banking transactions on our iPhone and our Androids all bets were off and bad guys are absolutely targeting them today, they’ve figured out that they can make money with our mobile devices.”
Ciscos’s chief security officer, John Stewart, recently said there was a need for employees to be educated on how to protect data on their smartphones and tablets to ensure BYOD security.
The majority of staff try to safeguard their devices but are not equipped with the knowledge to secure them effectively, Stewart said
“They’ll make mistakes, but they’re not trying to deliberately hurt the company, they’re not trying to deliberately lose information, they’re not trying deliberately to lose a thumb drive.
“On the other hand, they are also very rarely fully knowledgeable on what it is you have to do to protect stuff.”
Follow Chloe Herrick on Twitter: @chloe_CW
Follow Computerworld Australia on Twitter: @ComputerworldAU
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.