It is generally the role of security vendors to alert potential customers as to the dangers from certain threats, namely threats that the vendors' products provide protection for. There's a fine line between education and scare tactics, and sometimes the desire to make a point can cause that line to become blurred.
Which brings us to an article published last week entitled Mobile Malware Incidents Hit 100% of Businesses. The article describes research by Check Point that may or may not confirm our worst fears: Every enterprise has experienced mobile malware attacks.
Furthermore, Check Point's research also revealed that "89% of organizations experience a least one man-in-the-middle incident stemming from users connecting to a risky WiFi network." Well, that's a relief, I was worried that the figure would be 11 percent higher.
Now, let's ask ourselves a question: Where's the enterprise breach that resulted from either mobile malware or man-in-the-middle (MiTM) attacks?
That's okay, take your time. I can wait.
Still waiting.
Maybe the answer is that mobile malware and mobile MiTM attacks represent only a negligible risk to enterprises. As we've noted previously, while there's a significant risk to enterprises from use of mobile apps that leak corporate data, mobile malware is almost exclusively a threat to consumers--not enterprises.
Yes, the term "malware" connotes real risk to enterprise desktop and infrastructure systems, and has been the cause of breaches from Target to Home Dept to Sony to Equifax. But mobile malware is different, and while trojans (otherwise called fake apps or camouflage apps) can perpetrate financial fraud against you or me, it has not yet shown itself to be a threat to enterprises. Mobile ransomware can lock up an individuals files and lead to temporary loss of functionality by a single user. However, mobile ransomware is not a threat to enterprises in the same way ransomware that locks up hospital servers is. Other mobile malware that perpetrates toll fraud and click fraud are annoying, but hardly existential threats to enterprises.
Mobile malware should be considered in two categories: broad-based attacks; and targeted attacks. The examples cited above, including trojans and ransomware, are broad-based attacks, aimed at a large population of users. An example of a targeted attack is Pegasus, which we know has occurred in the wild at least twice, both times against political dissidents in the Middle East and Mexico. So far, no mobile targeted attacks have been publicly reported against enterprise executives or key knowledge workers.
So what's an enterprise to do to ensure their use of mobile is secure? Think about how to protect data that's accessed by mobile devices, and be aware of concentrations of user data in the cloud resulting from mobile use. In general, it's apps that access and manipulate data, and an app-centric approach is likely to provide the most value from a security perspective.
No comments:
Post a Comment