Employees' use of personal devices – the consumerization of IT – is commonplace in the United States. In a recent survey from Citrix, 44 percent of CIOs said they have a formal, bring-your-own (BYO) device policy. In two years, 94 percent of the respondents will have one.
Not all smartphones, however, are created equal: The popular Android holds a number of threats for the enterprise network, from malware to unauthorized transmission of personal data to SMS scams. We expect more news of Android's security weaknesses in the coming months, because the platform's openness and marketplace processes makes it enticing for criminals.
Securing Android – or any mobile device – will go beyond standard protection methods. The mobile phone's connection points – user, charging device and external network – are what make it vulnerable. These vectors don't exist in the PC world. Current threats for Android range from malware that steals device data – including messages, emails and call contents – to text messages that charge premium rates to trojans that access the network via the mobile connection point. Only recently, Android trojans that record and transfer voice calls have been seen. With Android, the CIO needs a laser focus on permissions, device security and connection points to prevent these threats.
Mobile device network access and permissions should specify what each individual mobile user can access and do on the network. If malware is able to access the network, these controls will make it tough to reach data. The organization must also ensure it has enhanced security for each smartphone, beyond what is on the device.
Not all smartphones, however, are created equal: The popular Android holds a number of threats for the enterprise network, from malware to unauthorized transmission of personal data to SMS scams. We expect more news of Android's security weaknesses in the coming months, because the platform's openness and marketplace processes makes it enticing for criminals.
Securing Android – or any mobile device – will go beyond standard protection methods. The mobile phone's connection points – user, charging device and external network – are what make it vulnerable. These vectors don't exist in the PC world. Current threats for Android range from malware that steals device data – including messages, emails and call contents – to text messages that charge premium rates to trojans that access the network via the mobile connection point. Only recently, Android trojans that record and transfer voice calls have been seen. With Android, the CIO needs a laser focus on permissions, device security and connection points to prevent these threats.
Mobile device network access and permissions should specify what each individual mobile user can access and do on the network. If malware is able to access the network, these controls will make it tough to reach data. The organization must also ensure it has enhanced security for each smartphone, beyond what is on the device.
Finally, the IT department should increase the scans of inbound and outbound device connections to spot unusual patterns. These additional steps will give the CIO a consistent level of usage policy enforcement and control, which, in turn, will allow more security across the mobile infrastructure and the internal fixed network systems.
This article originally appeared in the October edition of SC Magazine.
