Mobile malware? Other mobile security threats are more pressing. Every enterprise should have its eye on these eight issues.
Mobile security is at the top of every company's worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, a trend that's grown even more prominent thanks to the ongoing global pandemic. The vast majority of devices interacting with corporate data are now mobile, in fact — some 60%, according to Zimperium — and that number is only bound to keep climbing as the world acclimates to our new remote-work reality.
All that means keeping sensitive information out of the wrong hands is an increasingly intricate puzzle. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is a whopping $3.86 million, according to a 2020 report by the Ponemon Institute. That's 6.4% more than the estimated cost just three years earlier, and the nature of the pandemic is expected to bring that cost up further yet, given the extra challenges presented by the work-from-home arrangement.
While it's easy to focus on the sensational subject of malware, the truth is that mobile malware infections are uncommon in the real world — with your odds of being infected significantly less than your odds of being struck by lightning, according to one memorable estimate. Malware ranks as one of the least common initial actions in data breach incidents, as noted by Verizon's 2020 Data Breach Investigations Report. That's thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems.
The more realistic mobile security hazards lie in some often-underemphasized areas, all of which are only expected to become more pressing in the months ahead:
1. Social engineering
The tried-and-true tactic of trickery is more troubling than ever in light of the pandemic, and that's especially true on the mobile front. Phishing attacks have increased six-fold since the start of COVID, according to Zimperium, and mobile devices are now the main target — with COVID-connected schemes, specifically, on the rise.
"[Scammers] know people are working from home and are spending more time on their mobile devices and are not taking the same precautions as they may on traditional computers," says Nico Chiaraviglio, vice president of security research at Zimperium. "From an attacker’s perspective, it’s supply and demand."
Think it couldn't affect your company? Think again. A staggering 91% of cybercrime starts with email, according to a report by security firm FireEye. It refers to such incidents as "malware-less attacks," since they rely on tactics like impersonation to trick people into clicking dangerous links or providing sensitive info. Phishing has been growing rapidly over the past few years, the company says, and mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender's name — making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust.
What's more, despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective in the mobile domain. Users are three times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study — in part because a phone is where people are most likely to first see a message. Verizon's research supports that conclusion and adds that the smaller screen sizes and corresponding limited display of detailed information on smartphones (particularly in notifications, which frequently include one-tap options for opening links or responding to messages) can also increase the likelihood of phishing success.
Beyond that, the prominent placement of action-oriented buttons in mobile email clients and the unfocused, multitasking-oriented way workers tend to use smartphones amplify the effect. The fact that most web traffic is now happening on mobile devices only further encourages attackers to target that front.
While only around 3.4% of users actually click on phishing-related links according to Verizon's most current data — earlier Verizon research indicates those gullible guys and gals tend to be repeat offenders. The company notes that the more times someone has clicked on a phishing campaign link, the more likely they are to do it again in the future. Verizon has previously reported that 15% of users who are successfully phished will be phished at least one more time within the same year.
"We do see a general rise in mobile susceptibility driven by increases in mobile computing overall [and] the continued growth of BYOD work environments," says John "Lex" Robinson, information security and anti-phishing strategist at PhishMe, a firm that uses real-world simulations to train workers on recognizing and responding to phishing attempts.
Robinson notes that the line between work and personal computing is also continuing to blur. More workers are viewing multiple inboxes — connected to a combination of work and personal accounts — together on a smartphone, he notes, and almost everyone conducts some manner of personal business online during the workday (even when there isn't an active pandemic and a forced work-from-home environment). Consequently, the notion of receiving what appears to be a personal email alongside work-related messages doesn't seem at all unusual on the surface, even if it may in fact be a ruse.
The stakes only keep escalating. Cybercrooks are now even using phishing to try to trick folks into giving up two-factor authentication codes designed to protect accounts from unauthorized access. Turning to hardware-based authentication — either via dedicated physical security keys like Google's Titan or Yubico's YubiKeys or via Google's on-device security key option — is widely regarded as the most effective way to increase security and decrease the odds of a phishing-based takeover.
According to a study conducted by Google, New York University, and UC San Diego, on-device authentication can prevent 99% of bulk phishing attacks and 90% of targeted attacks, compared to a 96% and 76% effectiveness rate for those same types of attacks with the more phishing-susceptible traditional 2FA codes.
Beyond that, mobile-specific training and carefully selected phishing detection software are the smartest ways to keep a company's employees from becoming the next phishing victims. "You are as only strong as the weakest link in the chain," says Zimperium's Chiaraviglio.
2. Data leakage
It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security in 2021 — and one of the most costly, too. According to the latest research by IBM and Ponemon Institute, having a purely remote-based team can increase the average cost of a data breach by a whopping $137,000.
What makes the issue especially vexing is that it often isn't nefarious by nature. Rather, it's a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.
"The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users," says Dionisio Zumerle, research director for mobile security at Gartner. He suggests turning to mobile threat defense (MTD) solutions — products like Symantec's Endpoint Protection Mobile, CheckPoint's SandBlast Mobile, and Zimperium's zIPS Protection. Such utilities scan apps for "leaky behavior," Zumerle says, and can automate the blocking of problematic processes.
Even that won't always cover leakage that happens as a result of overt user error — something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.
3. WiFi interference
A mobile device is only as secure as the network through which it transmits data. In an era where we're all constantly connecting to networks that might not be optimally secured — be they improperly configured home networks, for remote workers, or public WiFi networks — our information frequently isn't as protected as we might assume.
Just how significant of a concern is this? According to research by Wandera, in a more typical year, corporate mobile devices use WiFi almost three times as much as they use cellular data. Nearly a quarter of devices connect to open and potentially insecure WiFi networks, and 4% of devices encounter a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties — within an average month. Those numbers have dipped this past year due to reduced travel and fewer physical businesses being open during COVID, but that doesn't mean the threat is gone — or that there's no need to remain ahead of the game, even with employees working mostly from home.
"Rather than relying on man-in-the-middle attack detection to be reactive, we recommend organizations take a more proactive approach to securing remote connections," says Michael Covington, VP of product at Wandera. "The easiest thing companies can do to encourage proper WiFi security is to simply adopt a zero-trust network access model for remote work."
4. Out-of-date devices
Smartphones, tablets and smaller connected devices — the internet of things (IoT) — pose a risk to enterprise security in that unlike traditional work devices, they generally don't come with guarantees of timely and ongoing software updates. This is particularly apparent on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system updates and with the smaller monthly security patches — as well as with IoT devices, many of which aren't even designed to get updates.
"Many of them don't even have a patching mechanism built in, and that's becoming more and more of a threat these days," says Kevin Du, a computer science professor at Syracuse University who specializes in smartphone security.
In 2020, some 28% of businesses were relying on devices that not only had outdated operating system software but had software with a known security vulnerability, according to Wandera. "Though there’s certainly a trend toward allowing more unmanaged devices to be used by remote workers, the current situation seems to have put a spotlight on the real risks encountered when security posture gets too lax," says Covington.
Adding to the pandemic-centric worry, Wandera's data indicates a 100% increase in connections to "inappropriate content" during work hours since the start of the COVID crisis — and, well, those sorts of sites are notorious for trying to trick visitors into downloading shady stuff (or, erm, so I've heard). An outdated operating system makes any manner of risky material even more risky since proper protections might not be in place.
Increased likelihood of attack aside, an extensive use of mobile platforms elevates the overall cost of a data breach, according to Ponemon, and an abundance of work-connected IoT products only causes that figure to climb higher. The IoT is "an open door," as cybersecurity firm Raytheon puts it. Raytheon sponsored research that showed 82% of IT professionals predicted that unsecured IoT devices would cause a data breach — likely "catastrophic" — within their organization.
A strong policy, however, can go a long way. Some Android devices do receive timely and reliable ongoing updates, and measures can be taken to improve the security of practically any phone. Until the IoT landscape becomes less of a wild west, it falls upon a company to create its own security net around them.
5. Poor password hygiene
You'd think we'd be past this point by now, but somehow, users still aren't securing their accounts properly. When they're carrying phones that contain both company accounts and personal sign-ins, that can be particularly problematic.
A survey by Google and Harris Poll found just over half of Americans reuse passwords across multiple accounts. Equally concerning, nearly a third aren't using 2
FA (or don't know if they're using it — which might be a little worse). Only a quarter of people are actively using a password manager (i.e. MobileTrust), which suggests the vast majority of folks probably don't have strong passwords in most places, since they're presumably generating and remembering them on their own.
Things only get dicier from there: According to one LastPass analysis, a full half of professionals have admitted to using the same passwords for both work and personal accounts. If that isn't enough, an average employee shares about six passwords with a co-worker over the course of their employment, the analysis found.
Lest you think this is all much ado about nothing, in 2017, Verizon found that weak or stolen passwords were to blame for more than 80% of hacking-related breaches in businesses. From a mobile device in particular — where workers want to sign in quickly to apps, sites, and services — think about the risk to your organization's data if even just one person is sloppily typing in the same password they use for a company account into a prompt on a random retail site, chat app or message forum. Now combine that risk with the aforementioned risk of WiFi interference, multiple it by the total number of employees in your workplace, and think about the layers of likely exposure points that are rapidly adding up.
Perhaps most vexing of all, most people seem completely oblivious to their oversights in this area. In the Google and Harris Poll survey, 69% of respondents gave themselves an "A" or "B" at effectively protecting their online accounts, despite subsequent answers that indicated otherwise. Clearly, you can't trust a user's own risk assessment.
6. Mobile ad fraud
Mobile advertising generates mountains of dollars — a total that's likely to top $117 billion in 2021, even with pandemic-related slowdowns in spending, according to a recent projection by eMarketer. Cybercriminals follow the money, so it’s probably no surprise they’ve found ways to siphon cash from mobile ad revenue streams. Estimates on how much ad fraud costs vary, but Juniper Research projects a $100 billion loss per year by 2023.
Ad fraud can take several forms, but the most common is using malware to generate clicks on ads that appear to be from a real user using a legitimate app or website. So, for example, a user might download an app that offers a valid-seeming service like weather forecasting or messaging. In the background, though, that app generates fraudulent clicks on regular ads that appear. Publishers are typically paid by the number of ad clicks they generate, so mobile ad fraud steals from companies’ advertising budgets and can deprive publishers of revenue.
While advertisers and publishers may be the most obvious victims, though, ad fraud can harm mobile users, too. Ad fraud malware runs in the background and can slow a smartphone’s performance, drain its battery, lead to higher data charges, and cause overheating. Based on its own tracking data, security vendor Upstream estimates that smartphone users (or the companies paying the bills for their devices) lose millions of dollars each year as a direct result of higher data charges caused from mobile ad malware.
Android is by far the most popular platform for these types of problems, with devices on that operating system some 5.3 times more likely to have a vulnerable app installed than phones running iOS, according to Wandera. That doesn't mean the impact is inevitable.
As with so many things in the realm of mobile security, a little common sense goes a long way. Aside from maintaining policies that allow users to download apps only from a platform's official app store, employee education can emphasize basics like looking over an app's reviews along with its requested permissions and developer history to make sure everything about it seems kosher before installing it. From an IT perspective, monitoring data usage for unusual spikes can also help detect potential issues early on.
7. Cryptojacking attacks
Cryptojacking is a type of attack where someone uses a device to mine for cryptocurrency without the owner's knowledge. If all that sounds like a lot of technical mumbo-jumbo, just know this: Much like mobile ad fraud, the cryptomining process uses your company's devices for someone else's gain. It leans heavily on your technology to do its bidding — which means affected phones will probably experience poor battery life and could even suffer from damage due to overheating components.
While cryptojacking originated on the desktop, it saw a surge on mobile from late 2017 through the early part of 2018. Unwanted cryptocurrency mining made up a third of all attacks in the first half of 2018, according to a Skybox Security analysis, with a 70% increase in prominence during that time compared to the previous half-year period. Mobile-specific cryptojacking attacks absolutely exploded in the fall of 2017, when the number of mobile devices affected saw a 287% surge, according to a Wandera report.
Since then, things have cooled off somewhat, especially in the mobile domain — a move aided largely by the banning of cryptocurrency mining apps from both Apple's iOS App Store and the Android-associated Google Play Store a couple years ago. Still, security firms note that attacks continue to see some level of success via mobile websites (or even just rogue ads on mobile websites) and apps downloaded via unofficial third-party markets.
According to Verizon, cryptocurrency-related attacks are now accounting for about 2.5% of malware-related problems in the enterprise, with about 10% of companies reporting related security issues. Verizon speculates that the actual rate of incidents is higher, as many such attacks are not reported.
For now, there's no great answer — aside from selecting devices carefully and sticking with a policy that requires users to download apps only from a platform's official storefront, where the potential for cryptojacking code is markedly reduced.
8. Physical device breaches
Last but not least is something that seems especially silly but remains a disturbingly realistic threat: A lost or unattended device can be a major security risk, especially if it doesn't have a strong PIN or password and full data encryption.
For perspective, in a 2016 Ponemon study, 35% of professionals indicated their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN or biometric security guarding their devices — and about two-thirds said they didn't use encryption. Sixty-eight percent of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices.
Things have improved since then, by most measures. In its 2020 mobile threat landscape analysis, Wandera noted that 3% of devices used for work still had their lock screens disabled. Even more troubling, the risk of other threats was found to be significantly higher on devices where the virtual front gate wasn't properly secured. As we've thoroughly established, it takes only a small number of individual-user vulnerabilities to create a massive corporate headache.
The take-home message is simple: Leaving the responsibility in users' hands isn't enough. Don't make assumptions; make policies. You'll thank yourself later.
By JR Raphael
Contributing Editor, CSO