It's enough to make a company lose its app-etite. From January to July of this year, 718,000 malicious and high-risk apps were distributed on the Android mobile platform alone, according to JD Sherry, vice president of technology and solutions at computing security firm Trend Micro in Irving, Texas. That's more than double the number of Android-based malware apps discovered in all of 2012.
This is the new open-door reality that gives nightmares to IT chiefs--and it's only getting worse. Already, more than half of the U.S. adult population connects to the internet through a smartphone or tablet, and 60 percent of businesses allow employees to access company networks via their personal devices under a strategy known as Bring Your Own Device (BYOD). Why? The efficiencies offered by a mobile work force are too great to pass up, and moving the cost of access to the employees is too juicy a cost savings to ignore.
Android apps accounted for 79 percent of all smartphone malware last year, according to security firm F-Secure. But Apple's iOS isn't entirely in the clear. While Apple doesn't release malware figures, Sherry points to 2012 reports that a handful of products that had made it through the App Store approval process turned out to be carrying nefarious software.
The potential for damage this brings to a business with a BYOD policy is something Rizwan Hussain knows all too well. As vice president of sales at AllRounds, a Bay Area startup that provides private capital analytics and automation, Hussain managed a team of reps who were constantly on the go. In order for his employees to hit their sales targets, they needed constant access to the AllRounds IT infrastructure, which allowed them to do everything from e-mailing prospects to issuing contracts.
"The problem I have with BYOD is security," Hussain says. "Most personal devices have a range of user-installed apps. How am I supposed to know if any of them are malicious and can hurt my network? Then there's the whole storage issue. Where exactly is our company's data being stored when some-one uses their own device, and what about the security risks if someone loses their phone or it's stolen?"
Forward-looking IT pros are in the process of mapping out a new set of rules for BYOD. This can start with implementing a companywide policy that addresses acceptable and unacceptable device use and provides details of excluded apps, data ownership and scheduled IT access to the device for updates. Those same pros are also pushing for encryption of all files stored on or accessed by a personal device, either through the phone's encryption program or through a third-party app such as TextSecure or RedPhone. Another option is to mandate that employees use a tool like Divide, which creates a fully functioning workspace within the device that provides government-grade security and protection for the business.
Defensive maneuvers aside, Sherry warns that the big question with BYOD is not if your employees' phones will be infected but when.