Android malware encounters grew 2,577% during 2012, according to Cisco’s 2013 Annual Security Report. Malware, software designed to damage a system or to steal money or information, is tracked by Cisco when the networking giant detects or blocks an attack. Most attacks fall into one of three categories: attempts to secure a payment from the victim, efforts to steal intellectual property, or “hacktivist” attacks designed to generate publicity.
Cisco says hackers plan their attacks for times when they know network traffic will be high. Attackers targeted carriers during the fall of 2012, knowing that network traffic would spike with the release of the iPhone 5. But Android was the primary target because of its open architecture.
While mobile malware is clearly on the rise, it represents a tiny fraction of the attacks intercepted by Cisco. As a networking company, Cisco encounters many more attacks in web software, but nonetheless highlighted the growth in mobile malware as the most salient finding in its report.
The mobile threat
Employee-owned devices are more than twice as likely to be infected with malware as company-owned computers, according to Gartner. And those devices are increasingly being used to access company data. “It’s no longer work content at work and home content at home, it’s many devices, many services, many clouds,” said Michael Covington, product manager for security intelligence operations at Cisco.
Covington says the traditional security “silos” like email servers and corporate firewalls are much less meaningful now that many companies are moving data to the cloud and many employees are accessing that data over cellular networks and Wi-Fi. “It’s increasingly less likely that people are going to be accessing corporate resources from the enterprise network and that is really getting into why mobile matters,” said Scott Simkin, who oversees security product and solutions marketing at Cisco.
The mobile threat means that a larger number of networks and servers are now handling company data, so that chance of interception by a third party is greater. The threat of malware “spreading” from an infected mobile device to a corporate network is less severe. “Most mobile clients do not run web services that are accessible by other clients on the broader Internet. It’s a subtle, but very important, distinction,” said Covington.
Keylogging, passwords, and Generation Y
There are many “keylogging” apps for Android, some of which are used by parents to track their kids’ online behavior. But keylogging software can also be used by hackers to steal passwords, particularly from Android users. “Because it’s an open architecture, it might be more susceptible to malware, but there are companies that have developed solutions,” said Mitch Black, president of MOBI Wireless Management. MOBI procures devices and manages wireless service for a variety of corporate clients, so Black sees a lot of security solutions. He said software solutions can go a long way toward making devices safer, but that “at the end of the day it’s really about having the policies at the corporate side and executing and adhering to those policies.”
But adhering to corporate policies is much less common than some IT departments may think it is. Cisco interviewed 1,800 18-30 year olds as part of its Connected World Technology Report, and found that only 40% of these “Gen Y” workers were aware of their company’s security policy. And of those 40%, four out of five said they did not bother to adhere to those policies.
Striking a bargain
Cisco says younger workers are more likely to pay attention to policy if there’s something in it for them. “Workers are willing to bargain with IT departments,” said Cisco’s Simkin. He said that when workers bring their own devices to work, they are willing to share visibility with IT departments if that is the price they must pay in order to access corporate resources on the device.
“It’s really important to be able to have that level of visibility into not just those traditional security silos but also the users, the services, the applications no matter where they reside. It’s really going to be the only way to lock down the content as it travels across the network,” said Covington.
The end of privacy?
So how likely are employees to share access to their mobile devices with corporate IT departments? 91% of the “Generation Y” workers surveyed by Cisco believe the age of privacy is over, but two thirds of them said their IT departments have no right to monitor their online behavior, even when they are on a company network. As a group, respondents were more willing to share data with online retail sites than with corporate IT departments. Ironically, retail sites were found to be one of the most popular destinations for hackers trying to introduce malware to a device — they do it by serving a fake ad and hoping the user will click.
More than half the 18-30 year-old survey respondents said they were willing to share personal data with retailers if they thought it would benefit them. That should reinforce the message for companies that if they want visibility into employee devices they need to give something in return. Enterprises that withhold access to corporate resources until employees grant visibility onto their devices may have the best chance of implementing effective policies. In order to protect corporate privacy, companies will ask workers to relinquish some of theirs.
Follow me on Twitter.
