Educating users about downloading from mobile app stores is similar to when we had to warn about opening suspicious e-mail attachments.

Creating mobile security policy? Remember ‘I love you,’ Kaspersky says

I.T. administrators in charge of securing mobile devices must be prepared to tell even executives there are no exceptions when it comes to company policies, says an executive from a security vendor.

User education is a critical part of making sure sensitive corporate data doesn’t leak out of the many new end points – in the form of smartphones and tablets – popping up in businesses of all sizes. Whether its employees bringing their new gadgets to the office and wanting to use them for work, or a new company initiative to deploy smartphones to their workforce, a strict security policy matters. That’s what Kevin Krempulec, the vice-president of Kaspersky Lab told attendees at IT World Canada’s Tech Outlook event today. In doing so, he hearkened back to the “I love you” virus that circulated around the year 2000.

“It played on human emotions,” he said. “What we did as security professionals was an incredible job educating our users to use discretion when opening e-mail attachments.”

In the year 2012, users need to be educated in the same way about download apps from mobile store fronts, Krempulec says. And that comes after delivering the basic mobile security 101 messages that users need to lock their devices with a good password.

Android malware quickly expanded in 2011. (Chart: Kaspersky Lab)

Some mobile storefronts are doing a questionable job overseeing the applications they allow in, chips in Keir Humble, a systems engineer at Kaspersky Lab. Google Play’s storefront on the Android platform has an open approach that allows anyone to submit an app. Today, there are almost 15,000 malware samples written for Android.

“All you have to do to find one is spend an afternoon watching football on Sunday, then try and go look for some of the game statistics on your phone,” he says.

Enabling workers on mobile devices may be a challenge, but its one worth taking on, says Michael Gilfix, business executive at IBM Worklight. Different types of employees across many industries stand to benefit from mobile solutions.

“There’s a transformative aspect to adopting mobile technology,” he says.

A Kaspersky study of mobile malware in 2011 shows a sharp upwards spike in the number of malicious software variants targeting Android towards the end of the year. In November, there were 1,008 new items targeting Android, and in December 1,179. That accounts for nearly all of the malware targeting mobile devices.

While Apple has done better with its App Store, some users choose to “jailbreak” their devices, Humble says. This is a hack that gives them access to underground app stores that may expose them to malware. That’s why company mobile policies need to have teeth.

“We need to start by convincing executives they can’t break their own policies just so they can have the latest device in their pocket,” he says.

Mobile malware is nothing new, Krempulec adds. It’s the same old techniques used to target traditional platforms – find a weakness in the OS and drop a malicious payload to the device. So the steps to creating a secure environment should be familiar:

•  Start by creating a bring your own device (BYOD) policy

•  Make the focus data protection

•  Plan for employees to use multiple devices (eg. a smartphone and a tablet)

•  The goal is simplified management of devices

•  Make sure everyone understands the security risks

Brian JacksonBrian Jackson is the Editor at ITBusiness.ca. E-mail him at bjackson@itbusiness.ca, follow him on Twitter, connect on , read his blog, and check out the IT Business Facebook Page.
Share on LinkedIn Comment on this article Share with Google+