Earlier this month, Check Point Software released its 2015 security report which found that mobile devices have become the biggest threat for today's enterprises. I like the fact that more vendors are doing their own studies and sharing the findings. Cybersecurity has so many facets that it's very challenging for IT departments to understand where to focus their energy, so surveys like this help.
The survey revealed something that I think many businesses have turned a bit of a blind eye to, and that's the impact of mobile devices, primarily due to the wide acceptance of BYOD. The last Network Purchase Intention Study by ZK Research (disclosure: I'm an employee of ZK Research) showed that 82% of businesses now have some kind of BYOD plan in place. Even heavily regulated industries like healthcare and financial services are putting BYOD programs in place because of pressure from the lines of business. Years ago, CEOs and managers didn't want consumer devices in the workplace as they were considered a distraction. Today, businesses that do not allow workers to use mobile devices are putting themselves at a competitive disadvantage.
In actuality, it's not "BYOD" that's the real problem. It's the fact that these devices are mobile and can be connected from virtually anywhere. Whether the company or the individual owns the device, workers are still able to take it to an uncontrolled area, connect and do what they need to do to be productive. If the company owns the device, it's certainly easier to keep the device in compliance with corporate policy, but both individually owned and company-owned mobile devices pose a risk.
The Check Point survey found that organizations with more than 2,000 devices on the network have a 50% chance that at least six of them are infected. The survey also showed that almost three-quarters of respondents felt that the top mobile security challenge is protecting corporate information on mobile devices. This makes sense considering that workers will access company data from almost everywhere.
Think about the fact that workers will connect a mobile device to a public access point without knowing anything about it, particularly when cellular service is poor or when roaming and connecting over cellular is cost-prohibitive. We all want to work from anywhere and we'll use whatever means necessary to connect. Now, what if a worker is in a restaurant and, when browsing the list of available wireless networks, they find one called "Free City WiFi"? Most people would connect to this without thought. What if that happens to be a cleverly named access point in some cybercriminal's apartment above the restaurant, and they're capturing all of the information going to and from the mobile device? Corporate data is at risk when workers are off the company network, and it's critical that the proper steps are taken to secure the mobile devices.
The other risk that mobile devices create is that they could get infected when off the network and then spread that malware around when it reattaches to the business network. Typically, user connections don't need to connect by going through a next-generation firewall or an IPS system, so the only way to understand if the device is causing harm is to look at the flow information going to and from the device and quarantine it on anything anomalous.
I'm certainly not saying that businesses should ditch the BYOD efforts or stop supporting mobile devices. That would be business suicide, as workers would revolt. The important thing to understand is that an increase in mobile devices increases the chances of a breach, to the point where all companies should accept the fact that it's probably going to happen. There needs to be a focus on understanding what to do when the breach occurs and how to mitigate against it before serious damage is done.