Bolstering a Phone’s Defenses Against Breaches
http://www.nytimes.com/2013/10/14/technology/bolstering-a-phones-defenses-against-breaches.html Version 0 of 1. SAN FRANCISCO — From Lookout’s headquarters here, the view extends west from the Bay Bridge to the Golden Gate, but its employees — mostly 20-something engineers in T-shirts and jeans — seem too preoccupied with the world’s nastiest new threats to take it in. Lookout’s employees are busy tracking the cybercriminals and aggressive advertisers that target the 45 million people around the globe who have downloaded the company’s free mobile security app. That is Step 1 to a more lucrative goal: protecting the data of big, corporate customers that are allowing employees to use their own mobile devices on corporate networks. The so-called bring your own device, or B.Y.O.D., trend can lead to trouble. Last year, for example, Jackson North Medical Center in North Miami Beach, Fla., banned personal smartphones after a volunteer used his phone’s camera to take about 1,100 photos of patient records, including their Social Security numbers, and sold them. Such episodes are not that unusual. Almost half of companies that allow personally owned devices to connect to the corporate network have experienced a data breach, either because of unwitting mistakes by employees or — as was the case at the Florida hospital — intentional wrongdoing, according to a 2012 survey of 400 technology professionals by researchers at Decisive Analytics. “It’s amazing that at power plants workers are required to wear hard hats and steel-toed shoes, but then you have engineers plugging their mobile devices right into the network,” said Jerry Dixon, the former director of the cyber division at the Department of Homeland Security. “What could possibly go wrong?” With that risk in mind, Lookout is taking aim at companies and government agencies in much the same way attackers are: it is using its app to slip under the door of enterprises via the hundreds of millions of employees who regularly bring their personal devices to work. Lookout is among a handful of tech companies trying to capitalize on the B.Y.O.D. phenomenon that people in charge of securing corporate networks say has become their biggest headache. In the past, they could mandate that employees use company-approved BlackBerry smartphones, which came with a tightly controlled network. But with BlackBerry’s future uncertain — the company was clinging to 2.9 percent of the global smartphone market last quarter, according to the research firm IDC — and consumers clamoring to use their iPhones, iPads and Android-powered devices at work, tech managers have had to consider alternatives and deal with the potential security threats that come with those alternatives. Twice as many corporate employees use their own iPhones, iPads and Android devices at work than use corporate-approved devices, according to Osterman Research. Even the Internal Revenue Service, one of the slower technology adopters, recently introduced wireless access and is considering letting employees B.Y.O.D. “The B.Y.O.D. train has left the station, not just for employees but for business partners and vendors who all have access to sensitive data from their devices,” said Craig Shumard, the former chief information security officer at Cigna Corporation, the large health insurer. “BlackBerry was the de facto standard, but now my peers are getting pressured to open it up and allow employees to do their business on any device.” Most B.Y.O.D. antidotes are geared toward mobile data management. Companies like Good Technology, MobileIron, AirWatch and Citrix’s XenMobile help managers segregate corporate data from personal data on employees’ phones and offer features that help them remotely wipe proprietary information from a device if it gets lost or stolen. Symantec and Intel’s McAfee, the behemoths of the computer security business, have developed similar capabilities by acquiring mobile-focused start-ups. Lookout approached the problem from a different direction, said Nushin Vaiani, a security analyst at Canalys, a market research company. It used a consumer app to increase the number of devices it can monitor and to gain better brand visibility. The Lookout app — which backs up data, tells users if other apps are siphoning their information, locates lost or stolen phones and even e-mails users a snapshot of the thief if he fails to guess their passcode — has grown in use by a factor of 200 over the last three years. Today, those tens of millions of devices act as global sensors, feeding all sorts of hairy threats back to Lookout’s Mobile Threat Network, a vast data set on a cloud of servers that tracks and analyzes malicious activity and helps researchers anticipate criminals’ next moves. Nearly half of employees at companies in the Fortune 1000 run Lookout, which made its next move almost inevitable. Last month, the company announced Lookout for Business, which is meant to help businesses manage and secure employees’ mobile devices, whether or not they are company-issued. The app will block malware, spyware and adware on those devices and give corporations, and its own customers, a clearer window into a new breed of mobile threats. “Now they’ve reached the point where they have enough substantial users, that they can then think about how to expand their solution into the business environment,” Ms. Vaiani said. The potential has investors salivating. In addition to the $76 million that Lookout has already raised, the company received $55 million this month from Deutsche Telekom, Qualcomm Ventures, Greylock Partners and Peter Thiel’s venture firm Mithril Capital Management. The investment round valued Lookout at roughly $1 billion. Lookout’s founders, John Hering, 30, Kevin Mahaffey, 28, and James Burgess, 30, say that in the future, they plan to move beyond mobile phones and tablets to cars, thermostats and any and all of the billions of so-called smart devices now coming online. There is little doubt that data security managers are struggling to keep tabs on sensitive information as employees start importing data to their personal devices, inevitably lose them and download mobile apps that have access to corporate assets. Experts and threat researchers warn that these applications have little or no safeguards. Gartner, a research company, predicts that by 2015, 75 percent of mobile applications will fail basic security tests. Already, Scott Borg, the director and chief economist at the nonprofit group United States Cyber Consequences Unit, said businesses and government agencies were finding that employees’ mobile devices had become a crucial way for attackers to reach a network. “An enormous amount of applications out there have been Trojanized,” Mr. Borg said, referring to apps that criminals have tampered with. “They have become one of the main steppingstones for getting into the enterprise.” A Lookout threat report this year said a tiny but growing portion of its Android user base in the United States — half a percentage point — had unwittingly downloaded mobile Trojans. And 1.6 percent have downloaded adware that pilfers their personal data without their knowledge. Mr. Borg said companies and agencies were discovering that the information collected from mobile Trojans was the first step in “spearphishing” campaigns, in which criminals use that data to tailor e-mails to employees with malicious links or attachments that, once clicked, give attackers a foothold into companies’ systems. That threat, Joseph Ansanelli, a partner at Greylock, said, particularly on Android, has prevented tech managers from deploying Android devices in their companies. But Lookout has teamed up with three of the four major carriers that offer Android in the United States, Sprint, T-Mobile and Verizon. It has also set up strategic partnerships with Deutsche Telekom in Germany and Orange in France and now comes preloaded on T-Mobile and Sprint devices. “In the P.C. era, the world only became less secure,” Mr. Hering of Lookout said. “The goal is to make it more secure as it gets more connected.” |