IT Decision Maker

Blog archive

Mobile Device Part 3: The New Malware Gateway

Invent something cool, something fun, something useful, and someone will find a way to ruin it for everyone.

That's what malware has repeatedly done for computers, for the Internet, for e-mail, and for anything else it can latch its ugly hands onto. We've responded with suites of anti-malware-ware, designed to catch phishing attempts, stop viruses and spyware, and much more.

Now our smartphones are at risk.

No, we're not really seeing traditional viruses, which for a variety of reasons don't yet make sense on a smartphone. But we are seeing an increasing number of e-mail and Web-based attacks that phish for information, direct users to malicious Web sites, and more. Regardless of what you allow your users to do with their mobile devices on their own time, what comes through the corporate e-mail server is your concern, and the risk of data loss is also your concern. It's not impossible -- or even difficult -- for phone-based malware to harvest users' contact lists, which would include business contacts. Phishing Web sites can easily harvest business credit card numbers, login accounts, and more.

We can fight the e-mail vectors in the normal fashion, by having our e-mail servers act as a secure bastion. Scanning and filtering tools become even more important than ever. But protecting users' smartphones against Web-based attacks is trickier, because they won't always be passing through our corporate firewalls and gateways.

There's an emerging vendor space for tools designed to help us protect mobile devices when they're off the corporate LAN, and it's also time for us to consider a sit-down, heart-to-heart talk with our users. Yes, training. Let's haul everyone into class, show them some real examples of phone-based malware attacks and help them learn to recognize the signs. Test them. Heck, make a game show out of it. Here's an e-mail -- is it safe to poke the link with your finger or should you tap the trash can icon instead? Here's a Web site -- what would you do to check its validity?

If users want to be issued a corporate smartphone, or even want to be able to have their personal device access corporate resources, make this half-day class mandatory. Make yearly refreshers mandatory, too. For many organizations, that won't be a problem: Companies that use heavy or specialized machinery, for example, are long-accustomed to periodic re-certifications for their employees. If a smartphone isn't a "specialized device," what is?

Does your company have a plan for helping your users combat mobile malware? What would you suggest for other readers to consider?


Posted by Don Jones on 10/14/2011 at 1:14 PM


  • Spaceflight Training in the Middle of a Pandemic

    Surprisingly, the worldwide COVID-19 lockdown has hardly slowed down the space training process for Brien. In fact, it has accelerated it.

  • Surface and ARM: Why Microsoft Shouldn't Follow Apple's Lead and Dump Intel

    Microsoft's current Surface flagship, the Surface Pro X, already runs on ARM. But as the ill-fated Surface RT showed, going all-in on ARM never did Microsoft many favors.

  • IT Security Isn't Supposed To Be Easy

    Joey explains why it's worth it to endure a little inconvenience for the long-term benefits of a password manager and multifactor authentication.

  • Microsoft Makes It Easier To Self-Provision PCs via Windows Autopilot When VPNs Are Used

    Microsoft announced this week that the Windows Autopilot service used with Microsoft Intune now supports enrolling devices, even in cases where virtual private networks (VPNs) might get in the way.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.