Apr 15 2013

How Agencies Guard Against Mobile Malware

Technology controls include awareness and mobile device management.

For Cumberland County, Pa., security starts at home. Director of Information Management Bill Finnerty recognizes that safe computing needs to permeate all aspects of workers' lives.

"Not only are we trying to secure county assets, but we're trying to train our employees on how it may help them personally," says Finnerty.

To that end, Cumberland County's IT department will push out Sophos antivirus tools to workers' own PCs and notebooks upon request. "We help end users with their own security posture because their posture has an effect on us," Finnerty says.

While the county doesn't yet have a formal bring-your-own-device program, it does establish security parameters that users must meet if they wish to access government email from their devices.

Road Block

Mobile security is top of mind for Cumberland County, which last November rolled out Sophos Mobile Control to its pool of 125 Android smartphones and Apple iPads. The mobile device management platform offers malware and web protection.

"Most prevalent in our minds was the fact that lost devices can be a real security breach for us," says Finnerty. "Although we do tell users to put passwords on them, we have no way of enforcing that."

Guarding against malicious mobile apps is also a concern. While the county didn't experience any significant threats in the past, Finnerty at one point discovered two or three mobile devices that were infected with malware. Those devices were hit with the most common type of mobile malware, premium service abusers. Similar to dialer viruses in the desktop world, premium service abusers are often disguised as popular apps. These malware variants subscribe to costly serv­ices, the fees for which are tacked on to the subscriber's phone bill.

The on-premises Mobile Control solution offers a self-service portal. "It saves management time just from the setup alone by being able to push people to the portal, where everything is automated and sent to their phones. That's a huge benefit from our perspective," Finnerty adds.


Dan Lohrmann

"In addition to technology controls, we are training all employees on the dangers of mobile malware as a part of our new awareness program 2.0, which covers topics such as do's and don'ts of clicking on links in social media and emails."

— Dan Lohrmann, Chief Security Officer, State of Michigan


Christopher Buse

"The key is to make sure that people do not do things that break the underlying security model, such as jailbreaking phones."

— Christopher Buse, Chief Information Security Officer, State of Minnesota


Karen Scarfone

"The best weapons we currently have against malware are training and awareness."

— Karen Scarfone, Founder, Scarfone Cybersecurity