Employee emails, contact lists, authentication credentials and sensitive company documents are some of the primary assets that must be protected on mobile devices, audience members said Wednesday during a standing-room-only mobile session at SC Congress Canada.
“The more portable the device, the more likely it is to be stolen, and that is the biggest mobile threat,” said speaker Sahba Kazerooni, director of professional services and training at application security firm Security Compass.
Besides the threat of lost or stolen mobile devices, security practitioners must be thinking about how they can stem the growing tide of mobile malware, man-in-the middle attacks and shoulder surfing, Kazerooni said.
On the low-tech end of the threat spectrum, shoulder surfing is rising with the proliferation of tablet devices – the larger the screen, the easier it is to spy on, he said. Going forward, users also are likely to encounter more SMS-based spam, which will be sent from compromised mobile devices.
Mobile device management (MDM) solutions, used to enforce password policies and control application downloads, can help organizations protect against some of these threats, Kazerooni said.
Even with such solutions in place, however, an attacker with physical access to an iPhone or Android device, fore example, can use jailbreaking or rooting techniques to circumvent strong passwords, Maxim Veytsman, security consultant at Security Compass, demonstrated in a video shown during the session.
Consequently, organizations should consider using encryption, which may result in performance headaches, but will ultimately yield greater levels of protection for data stored on mobile devices, Kazerooni said.
“Security and usability are sometimes at odds,” he said.
In addition to technologies such as MDM and encryption, organizations should implement a program to train employees about the appropriate use of mobile devices.