Mobile Malware? Some mobile security threats are more pressing. Every enterprise should have its eye on these five issues.
Mobile security is at the top of every company's worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smart phones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate puzzle. The stakes suffice it to say, are higher than ever: The average cost of a corporate data breach is a whopping $3.86 million, according to a 2018 report by the Ponemon Institute. That's 6.4 percent more than the estimated cost just one year earlier.
While it's easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world — with your odds of being infected significantly less than your odds of being struck by lightning, according to one estimate. Malware currently ranks as the least common initial action in data breach incidents, in fact, coming in behind even physical attacks in Verizon's 2019 Data Breach Investigations Report. That's thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems.
The more realistic mobile security hazards lie in some easily overlooked areas, all of which are only expected to become more pressing:
1. Data Leakage
It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security in 2019. Remember those almost nonexistent odds of being infected with malware? Well, when it comes to a data breach, companies have a nearly 28% chance of experiencing at least one incident in the next two years, based on Ponemon's latest research — odds of more than one in four, in other words.
What makes the issue especially vexing is that it often isn't nefarious by nature; rather, it's a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.
CheckPoint’s SandBlast Mobile, and Zimperium’s zip Protection. Such utilities scan apps for "leaky behavior," Zumerle says, and can automate the blocking of problematic processes.
Of course, even that won't always cover leakage that happens as a result of overt user error — something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. That's a challenge the healthcare industry is currently struggling to overcome: According to specialist insurance provider Beazley, "accidental disclosure" was the top cause of data breaches reported by healthcare organizations in the third quarter of 2018. That category combined with insider leaks accounted for nearly half of all reported breaches during that time span.
For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.
2. Social Engineering
The tried-and-true tactic of trickery is just as troubling on the mobile front as it is on desktops. Despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective.
A staggering 91% of cybercrime starts with email, according to a 2018 report by security firm FireEye. The firm refers to such incidents as "malware-less attacks," since they rely on tactics like impersonation to trick people into clicking dangerous links or providing sensitive info. Phishing, specifically, grew by 65% over the course of 2017, the company says, and mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender's name — making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust.
Users are actually three times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study — in part because a phone is where people are most likely to first see a message. Verizon's latest research supports that conclusion and adds that the smaller screen sizes and corresponding limited display of detailed information on smart phones (particularly in notifications, which frequently now include one-tap options for opening links or responding to messages) can also increase the likelihood of phishing success.
Beyond that, the prominent placement of action-oriented buttons in mobile email clients and the unfocused, multitasking-oriented manner in which workers tend to use smart phones amplify the effect — and the fact that the majority of web traffic is generally now happening on mobile devices only further encourages attackers to target that front.
It's not just email anymore, either: As enterprise security firm Wandera noted in its latest mobile threat report, 83% of phishing attacks over the past year took place outside the inbox — in text messages or in apps like Facebook Messenger and WhatsApp along with a variety of games and social media services.
Cyber crooks are apparently now even using phishing to try to trick folks into giving up two-factor authentication codes designed to protect accounts from unauthorized access. Turning to hardware-based authentication — either via dedicated physical security keys like Google's Titan or Yubico's YubiKeys or via Google's on-device security key option for Android phones — is widely regarded as the most effective way to increase security and decrease the odds of a phishing-based takeover.
According to a study conducted by Google, New York University, and UC San Diego, even just on-device authentication can prevent 99% of bulk phishing attacks and 90% of targeted attacks, compared to a 96% and 76% effectiveness rate for those same types of attacks with the more phishing-susceptible 2FA codes.
3. Wi-Fi Interference
A mobile device is only as secure as the network through which it transmits data. In an era where we're all constantly connecting to public Wi-Fi networks, that means our info often isn't as secure as we might assume.
Just how significant of a concern is this? According to research by Wandera, corporate mobile devices use Wi-Fi almost three times as much as they use cellular data. Nearly a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4% of devices have encountered a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties — within the most recent month. McAfee, meanwhile, says network spoofing has increased "dramatically" as of late, and yet less than half of people bother to secure their connection while traveling and relying on public networks.
"These days, it's not difficult to encrypt traffic," says Kevin Du, a computer science professor at Syracuse University who specializes in smart phone security. "If you don't have a VPN, you're leaving a lot of doors on your perimeters open."
4. Outdated Devices
Smart phones, tablets and smaller connected devices — commonly known as the Internet of Things (IOT) — pose a new risk to enterprise security in that unlike traditional work devices, they generally don't come with guarantees of timely and ongoing software updates. This is true particularly on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system (OS) updates and with the smaller monthly security patches between them — as well as with IOT devices, many of which aren't even designed to get updates in the first place.
"Many of them don't even have a patching mechanism built in, and that's becoming more and more of a threat these days," Du says.
Increased likelihood of attack aside, an extensive use of mobile platforms elevates the overall cost of a data breach, according to Ponemon, and an abundance of work- connected IoT products only causes that figure to climb further. The Internet of Things is "an open door," according to cyber security firm Raytheon, which sponsored research showing that 82% of IT professionals predicted that unsecured IOT devices would cause a data breach — likely "catastrophic" — within their organization.
Again, a strong policy goes a long way. There are Android devices that do receive timely and reliable ongoing updates. Until the IOT landscape becomes less of a wild west, it falls upon a company to create its own security net around them.