01 Jul iOS No More Secure Than Android When It Comes To Enterprise Security
With stats like 99% of mobile malware targeted towards Android devices in 2013 Via Cisco’s annual security report, and Android’s increasing fragmentation, it’s no secret, iOS is commonly considered to be the more secure mobile OS when compared to Android.
However, according to a recent report by Marble Security, when it comes to securing corporate data in the enterprise, iOS is not inherently any more secure than Android.
But what about Apple’s tight control over app distribution and OS versions?
While these processes (among others) definitely help create a more secure environment than Android, the report revealed the real security issue lies with the end user.
Why Enterprise Data Is Always At Risk
When considering the security of corporate data, the focus generally gravitates towards the operating system or how apps are screened and approved in the corresponding app stores of the two platforms.
However, Marble Labs concluded in its report that despite the differences in approaches to security, both Android and iOS are equally vulnerable to a number of mobile security threats in a BYOD environment.
There are multiple ways for end users to circumvent security measures implemented in both mobile platforms, whether intentional or not. For example, while iOS devices are restricted to downloading apps only from the App Store, once a user jail breaks a device they can download apps from multiple sources, creating a security hole in the “walled garden”.
Both iOS and Android are also equally open to attacks via malicious apps, SMS and compromised WiFi hotspots and others (see table below), which are all a result of user behaviours.
Some Example of Mobile Security Threats:
[styled_table]
| Types Of Threat: | Example |
|---|---|
| Phishing | A user who frequently checks multiple email accounts on their device that lacks phishing security opens doors to information on the corporate network. |
| Apps Mining Corporate Data | Social networking apps that encourage the user to provide the app with access to their device’s address book can give hackers an opportunity to access the company’s ActiveDirectory. |
| Back Up Hijacking | If a user backs up their device (as well as email, the corporate address book etc) to a cloud service, this data could be downloaded by an attacker if the account is compromised. |
| SSL Vulnerabilities | Both operating systems allow apps to compile their own SSL libraries to communicate securely over the internet. If these libraries have vulnerabilities, user data and sessions can be compromised such as the recent HeartBleed bug. |
| Accessing Public WiFi | A meeting taking place in a coffee shop, the user may connect to the free wifi available but that could be a wifi connection created by a hacker waiting to access all your corporate data. |
[/styled_table]
So, How Can You Improve Enterprise Security In a BYOD Environment?
While managing end user behaviour on employee owned devices is incredibly challenging, there are ways to reduce the risk of security threats generated by end users.
End User Education
Many enterprises fail to realise the value in educating employees in regards to security threats, especially when users are using their own devices.
Enterprises should create on-going educational training/programs to educate employees about existing threats and avoid becoming a victim. It’s important to make this an ongoing event to keep the end user updated to new threats.
By practicing end user education employees will have an ongoing opportunity to really understand how their actions can compromise corporate data. David Appleburn, Senior Vice President of Moka5 encourages educating employees on BYOD and suggests the three steps all enterprise should do here.
Corporate Policy
According to an Acronis Research Study, 60% of enterprises do not have a corporate policy on BYOD. Without a clear policy on the use of personal devices while connected to a company network, the security of corporate data could be at risk.
It’s vital for enterprises to create or update existing corporate policies on BYOD so employees are aware of what are permissible methods of enterprise mobility without being leak-points of corporate data. Also keep in mind, that a corporate policy for BYOD should be regularly reviewed and updated. Check out these tips on how to create a secure BYOD corporate policy.
Consider Using Corporate Owned Devices
According to the Marble Report, mobile users are three times less likely to experience attacks than users that have been issued with a corporate device on an inside corporate network.
COPE (Corporate Owned, Personally Enabled) can potentially save the enterprise from data being leaked to hackers and/or competitors. Face value would suggest that providing employees with devices can be hefty in price; however a survey conducted by Dimension Data showed that 67% of those surveyed did not see a change in expenditure when using a BYOD model and 24% of respondents actual saw a rise in cost. You can read more about the COPE vs BYOD debate here.