With all the benefits that are tied to Bring Your Own Device (BYOD) policies — greater productivity, higher job satisfaction, etc. — many may still wonder why some companies don’t wish to pursue it. After all, BYOD could end up saving businesses money in the long run. Then why such reluctance to embrace the BYOD movement? Most business owners will say the exact same thing: it’s all about security. Having employees use their own devices at work simply introduces too many security threats, and businesses have enough to worry about as is. Considering the major security breaches that have hit big companies like Target and Home Depot, this cautious approach to mobile devices seems like a prudent move. But is it a case of being too cautious? In fact, some are even going as far as saying the threats that come from mobile devices are way overblown.
Some recent reports seem to back up the claim that too often over the last few years we’ve overstated the actual threats, particularly malware, that mobile devices introduce into the enterprise. One such report comes from McAfee that shows out of all the malware currently out there, only 1.9 percent of it is mobile malware. That would come out to a little under 4 million threats compared to the more than 195 million that we know about. Another report from Verizon shows even lower numbers, with only 0.03 percent of smartphones being infected with what is called “higher grade malicious code.” But some numbers go even lower than that. Damballa, a mobile security vendor that monitors roughly half of mobile data traffic, recently released a report showing that only 9,688 smartphones out of more than 150 million showed signs of malware infection. If you do the math, that comes out to an infection rate of 0.0064 percent. Even more interesting is that despite the increase in mobile devices, Damballa found the infection rate had declined by half compared to 2012. However you want to look at the numbers, it becomes clear that the severity of malware from mobile devices has been vastly overstated.
These reports may show mobile threats aren’t as big of a problem as previously thought, but why was mobile security considered so crucial in the first place? When looking at malware threats, many studies looked not at the actual number of devices that were infected but rather the variety of threats. In addition to that, malware tends to term used broadly. In the Verizon report, for example, hundreds of thousands of mobile devices were found to be infected with malware, but the vast majority of it was actually adware. While adware can certainly be annoying, it’s not necessarily damaging to a device or the data stored on it. That’s why the Verizon report made sure to differentiate between low grade and higher grade malware.
One may also wonder why the numbers are so low at all. After all, cyber criminals like to target new platforms and exploit security weaknesses. Why do they seem to be avoiding mobile devices? The truth of the matter is that mobile users tend to get their apps from high quality app stores. The stores from Google and Apple work to filter out apps that are considered suspicious. If malware is found in apps after they’ve already been on the market for a while, app stores can also execute a kill switch, which takes the app off the store and the devices where they were downloaded. This limits malware’s ability to spread.
Of course, this doesn’t mean that companies that adopt BYOD should just ignore BYOD security; they just don’t have to go all-out like many businesses have been doing. Most mobile security experts say a mobile device management system remains a good investment to ensure mobile devices are being handled appropriately. MDM systems also allow an organization to remotely wipe devices, thus keeping sensitive data safe in the event a device is lost or stolen. But malware really isn’t a factor in those cases, so the overall message from these recent reports is that getting worked up over mobile threats is not necessary. A company can still gain all the benefits of BYOD without having to worry incessantly over what they’re doing to protect every device that connects to their network.
Image Credit: Flickr/Derek Gates