Android-based mobile malware rises – but what is the risk to Indian businesses?

The security impact of consumerisation

According to a recent survey from ISACA, 46% of Indian companies have blocked the use of mobile devices at work. But there remain many companies embracing the concept.

Many Indian businesses use mobile channels for service delivery, information access and connecting with customers. Securing businesses from mobile viruses and threats has now become a more urgent task than ever. Microsoft recently launched Office 365 Mobile for Android, which could see more employees working on the move.

“This is the new paradigm and we are increasingly seeing security being traded over convenience, especially considering the information the applications have access to and the threats posed by exposing sensitive business and financial information to an application that we download on the phone,” said Altaf Halde, managing director at Kaspersky Lab, South Asia.

According to research from B2B International and Kaspersky Lab – which questioned 133 Indian businesses – over 50% of Android-based smartphone and tablet owners do not use any security software to block cyber threats: “95% of respondents reported that at least one mobile device-related security incident had been recorded in their company in the past 12 months,” said the research.

The rise of mobile delivery

Mobile is becoming increasingly important for Indian businesses, according to Manatosh Das, analyst at Forrester Research. Das said the three main delivery models used to reach customers are SMS marketing and service alerts, mobile websites and mobile applications.

Das said a major security challenge organisations face is the result of bring your own device (BYOD) schemes introducing infections that result from vulnerabilities and malware such as trojans, worms, rootkits, adware on the users’ mobile devices.

“The greatest risk with adoption of BYOD is the advanced persistent threat (APT). The corporate networks cannot handle sophisticated, targeted and persistent threats arising from mobile devices at the workplace. Employee usage of unsecured internet connections on mobile devices for personal use poses threats to the corporate network as they make these smart devices the bridge point for hackers to get entry into corporate network risking significant business data,” said Das.

Platform variety compounds security issues

Managing different operating systems and the security requirements across a range of mobile platforms increases the overall security exposure for the organization.

“CISO offices must update their security policies to address BYOD implications or design a separate BYOD policy according to the changing environment and new risks and threats. Also, workforce segmentation exercises must be conducted to address BYOD requirements and appropriate access must be granted according to needs,” said Das.

“Enterprise mobile technologies like mobile device management (MDM), enterprise application store, containerization of important business data and application wrapping must be implemented as per the requirement.”

According to Halde at Kaspersky Labs, IT heads should deploy mobile security software to every device that is accessing/using its business data. These should be configured with data access restrictions as soon as it appears on a network, providing endpoint protection for all devices within the organization to prevent data loss and corruption.

“This helps to eliminate the security breaches that can result from enabling mobile access to corporate systems. Even if an employee loses a mobile device or leaves the company, the administrator can prevent access to business data by remotely wiping out the corporate data, without affecting the user’s personal data,” said Halde.