In comparison to desktop PCs, the number of threats on mobile platforms is actually low (today), but the pace of device proliferation has changed the traditional definition of a network endpoint, and has made smartphones and tablets an attractive target for those seeking to do harm. While device manufacturers continue to enhance the embedded security that resides on their hardware with each successive release, cyber criminals are altering their tactics and are keen on taking advantage of flaws in mobile platforms and applications. Another complication for corporate IT is the fragmented state of today’s mobile OS landscape. While RIM continues to struggle, our data indicates that on average, organizations support more than 2 OSes (we anticipate this to be the case for the foreseeable future as well). This is problematic from a security and device management perspective, and increases the complexity associated with effectively administering a multi-platform mobile environment.
For the criminally minded, information such as personal email, contacts, passwords and other stored personal and/or corporate data, all present a potential treasure trove of high-value information that can be exploited. Scams such as phishing (where passwords and other personal information can be stolen), location (GPS) tracking, and financial malware, are all opening the door to illicit and potentially criminal activity. Invariably, new technology platforms introduce new vulnerabilities, which often enable new attacks by increasingly potent adversaries. The challenge organizations that recognize the strategic advantage available to them from investing in mobility solutions will be to prioritize investments in technologies and practices which can best protect assets and maintain operational efficiencies without disrupting business innovation. This will be an essential top management issue as mobile workforces continue to expand.
A common characteristic of mobile devices is their multiple connectivity options (depicted below), this is distinctly different from traditional PCs which appear as a single end-point on a corporate network. The robust connectivity options make mobile devices extremely powerful, and data retrieval and information sharing painless; however, they expose mobile devices to a variety of security threats, particularly when deployed in corporate settings.
Bottom line – understanding the attack surface on mobile platforms is critically important for companies as they expand thier mobile workforce. Moving forward, developing a threat vector based defense-in-depth architecture will be required – the battle for who provides these security solutions has, and is sure to intensify. The best protection to “future proof” mobile technology platforms will be to not only appropriately invest in the staffing and training of IT personnel, but to arm them with the powerful software solutions that continue to mature and provide the level or protection that is necessary in today’s mobile ecosystem.
A growing number of vendors are acutely aware of the attack surface problem, and are emphasizing their security-orientation as they compete in the enterprise mobility market – if you represent an organization with a mobile-oriented enterprise-grade security solution, I'd welcome the opportunity to speak with you about your solution(s).