To address these new challenges, the report said, enterprises need to shape their risk exposure, communication, end-user education and technology in a delicate balance.
One of the newest vectors of attack – the so-called “bring your own device” approach – has sprung up from the burgeoning market for smartphones and tablets and their adaption into the enterprise network, the report said. Security issues seen on the mobile platform are rising with the market – with double the number of mobile exploit releases that were seen in 2010.
Third-party app markets, a Wild West of often unregulated offerings, are the primary bazaar for malicious software created to attack mobile phones. On top of the heap of malicious software for mobile devices are corrupt SMS messaging services, which dupe consumers into sending text messages that result in premium charges. Such services also could also lead to data being siphoned from users' devices, the report found.
Infected mobile applications can also come from peer-to-peer networks hosted on websites. These gray-area venues have been used for years by consumers downloading pirated music and movies (for free or at low cost), and are now serving up knock-off versions of commercial Android applications. The problem is that many of those third-party apps come loaded with malware.
"It is not just a hypothetical risk anymore," Tom Cross, manager of threat intelligence and strategy for IBM X-Force, told SCMagazineUS.com on Friday.
Critical vulnerabilities are also causing major concern. In the first half of 2011, such flaws allowed three times as many high-profile attacks as the previous year, causing IBM to call 2011 the “Year of the Security Breach."
“[Mobile malware] is not just a hypothetical risk anymore."
– Tom Cross, manager of threat intelligence and strategy for IBM X-Force
This year's breaches have highlighted the emerging risk of “whaling,” a variant of spear phishing that targets "big fish,” or high-level personnel with access to critical data. These targeted attacks involve the "bad guys" researching online profiles to amass enough personal information on a target so that when they receive a customized message that seems as if it is coming from their boss or IT administrator, etc., they're duped into clicking on a mailicious link.