7 mobile security threats you should take seriously in 2019

Source: , 18/06/2019

Mobile security is at the top of every company`s worry list these
days â€` and for good reason: Nearly all workers now routinely
access corporate data from smartphones, and that means keeping
sensitive info out of the wrong hands is an increasingly intricate
puzzle. The stakes, suffice it to say, are higher than ever: The
average cost of a corporate data breach is a whopping $3.86
million, according to a 2018 report by the Ponemon Institute.
That`s 6.4 percent more than the estimated cost just one year
earlier.
While it`s easy to focus on the sensational subject of malware,
the truth is that mobile malware infections are incredibly
uncommon in the real world â€` with your odds of being infected
significantly less than your odds of being struck by lightning,
according to one estimate. That`s thanks to both the nature of
mobile malware and the inherent protections built into modern
mobile operating systems.
The more realistic mobile security hazards lie in some easily
overlooked areas, all of which are only expected to become more
pressing as we make our way through 2019:
1. Data leakage
It may sound like a diagnosis from the robot urologist, but data
leakage is widely seen as being one of the most worrisome threats
to enterprise security in 2019. Remember those almost nonexistent
odds of being infected with malware? Well, when it comes to a data
breach, companies have a nearly 28 percent chance of experiencing
at least one incident in the next two years, based on Ponemon`s
latest research â€` odds of more than one in four, in other words.
What makes the issue especially vexing is that it often isn`t
nefarious by nature; rather, it`s a matter of users inadvertently
making ill-advised decisions about which apps are able to see and
transfer their information.
`The main challenge is how to implement an app vetting process
that does not overwhelm the administrator and does not frustrate
the users,` says Dionisio Zumerle, research director for mobile
security at Gartner. He suggests turning to mobile threat defense
(MTD) solutions â€` products like Symantec`s Endpoint Protection
Mobile, CheckPoint`s SandBlast Mobile, and Zimperium`s zIPS
Protection. Such utilities scan apps for `leaky behavior,` Zumerle
says, and can automate the blocking of problematic processes.
Of course, even that won`t always cover leakage that happens as a
result of overt user error â€` something as simple as transferring
company files onto a public cloud storage service, pasting
confidential info in the wrong place, or forwarding an email to an
unintended recipient. That`s a challenge the healthcare industry
is currently struggling to overcome: According to specialist
insurance provider Beazley, `accidental disclosure` was the top
cause of data breaches reported by healthcare organizations in the
third quarter of 2018. That category combined with insider leaks
accounted for nearly half of all reported breaches during that
time span.
For that type of leakage, data loss prevention (DLP) tools may be
the most effective form of protection. Such software is designed
explicitly to prevent the exposure of sensitive information,
including in accidental scenarios.
2. Social engineering
The tried-and-true tactic of trickery is just as troubling on the
mobile front as it is on desktops. Despite the ease with which one
would think social engineering cons could be avoided, they remain
astonishingly effective.
A staggering 91 percent of cyber crime starts with email,
according to a 2018 report by security firm FireEye. The firm
refers to such incidents as `malware-less attacks,` since they
rely on tactics like impersonation to trick people into clicking
dangerous links or providing sensitive info. Phishing,
specifically, grew by 65 percent over the course of 2017, the
company says, and mobile users are at the greatest risk of falling
for it because of the way many mobile email clients display only a
sender`s name â€` making it especially easy to spoof messages and
trick a person into thinking an email is from someone they know or
trust.
In fact, users are three times more likely to respond to a
phishing attack on a mobile device than a desktop, according to an
IBM study â€` in part simply because a phone is where people are
most likely to first see a message. While only 4 percent of users
actually click on phishing-related links, according to Verizon`s
2018 Data Breach Investigations Report, those gullible guys and
gals tend to be repeat offenders: The company notes that the more
times someone has clicked on a phishing campaign link, the more
likely they are to do it again in the future. Verizon has
previously reported that 15 percent of users who are successfully
phished will be phished at least one more time within the same
year.
`We do see a general rise in mobile susceptibility driven by
increases in mobile computing overall [and] the continued growth
of BYOD work environments,` says John `Lex` Robinson, information
security and anti-phishing strategist at PhishMe â€` a firm that
uses real-world simulations to train workers on recognizing and
responding to phishing attempts.
Robinson notes that the line between work and personal computing
is also continuing to blur. More and more workers are viewing
multiple inboxes â€` connected to a combination of work and personal
accounts â€` together on a smartphone, he notes, and almost everyone
conducts some sort of personal business online during the workday.
Consequently, the notion of receiving what appears to be a
personal email alongside work-related messages doesn`t seem at all
unusual on the surface, even if it may in fact be a ruse.
3. Wi-Fi interference
A mobile device is only as secure as the network through which it
transmits data. In an era where we`re all constantly connecting to
public Wi-Fi networks, that means our info often isn`t as secure
as we might assume.
Just how significant of a concern is this? According to research
by enterprise security firm Wandera, corporate mobile devices use
Wi-Fi almost three times as much as they use cellular data. Nearly
a quarter of devices have connected to open and potentially
insecure Wi-Fi networks, and 4 percent of devices have encountered
a man-in-the-middle attack â€` in which someone maliciously
intercepts communication between two parties â€` within the most
recent month. McAfee, meanwhile, says network spoofing has
increased `dramatically` as of late, and yet less than half of
people bother to secure their connection while traveling and
relying on public networks.
`These days, it`s not difficult to encrypt traffic,` says Kevin
Du, a computer science professor at Syracuse University who
specializes in smartphone security. `If you don`t have a VPN,
you`re leaving a lot of doors on your perimeters open.`
Selecting the right enterprise-class VPN, however, isn`t so easy.
As with most security-related considerations, a tradeoff is almost
always required. `The delivery of VPNs needs to be smarter with
mobile devices, as minimizing the consumption of resources â€`
mainly battery â€` is paramount,` Gartner`s Zumerle points out. An
effective VPN should know to activate only when absolutely
necessary, he says, and not when a user is accessing something
like a news site or working within an app that`s known to be
secure.
4. Out-of-date devices
Smartphones, tablets and smaller connected devices â€` commonly
known as the Internet of Things (IoT) â€` pose a new risk to
enterprise security in that unlike traditional work devices, they
generally don`t come with guarantees of timely and ongoing
software updates. This is true particularly on the Android front,
where the vast majority of manufacturers are embarrassingly
ineffective at keeping their products up to date â€` both with
operating system (OS) updates and with the smaller monthly
security patches between them â€` as well as with IoT devices, many
of which aren`t even designed to get updates in the first place.
`Many of them don`t even have a patching mechanism built in, and
that`s becoming more and more of a threat these days,` Du says.
Increased likelihood of attack aside, an extensive use of mobile
platforms elevates the overall cost of a data breach, according to
Ponemon, and an abundance of work-connected IoT products only
causes that figure to climb further. The Internet of Things is `an
open door,` according to cybersecurity firm Raytheon, which
sponsored research showing that 82 percent of IT professionals
predicted that unsecured IoT devices would cause a data breach â€`
likely `catastrophic` â€` within their organization.
Again, a strong policy goes a long way. There are Android devices
that do receive timely and reliable ongoing updates. Until the IoT
landscape becomes less of a wild west, it falls upon a company to
create its own security net around them.
5. Cryptojacking attacks
A relatively new addition to the list of relevant mobile threats,
cryptojacking is a type of attack where someone uses a device to
mine for cryptocurrency without the owner`s knowledge. If all that
sounds like a lot of technical mumbo-jumbo, just know this: The
cryptomining process uses your company`s devices for someone
else`s gain. It leans heavily on your technology to do it â€` which
means affected phones will probably experience poor battery life
and could even suffer from damage due to overheating components.
While cryptojacking originated on the desktop, it saw a surge on
mobile from late 2017 through the early part of 2018. Unwanted
cryptocurrency mining made up a third of all attacks in the first
half of 2018, according to a Skybox Security analysis, with a 70
percent increase in prominence during that time compared to the
previous half-year period. And mobile-specific cryptojacking
attacks absolutely exploded between October and November of 2017,
when the number of mobile devices affected saw a 287 percent
surge, according to a Wandera report.
Since then, things have cooled off somewhat, especially in the
mobile domain â€` a move aided largely by the banning of
cryptocurrency mining apps from both Apple`s iOS App Store and the
Android-associated Google Play Store in June and July,
respectively. Still, security firms note that attacks continue to
see some level of success via mobile websites (or even just rogue
ads on mobile websites) and through apps downloaded from
unofficial third-party markets.
Analysts have also noted the possibility of cryptojacking via
internet-connected set-top boxes, which some businesses may use
for streaming and video casting. According to security firm
Rapid7, hackers have found a way to take advantage of an apparent
loophole that makes the Android Debug Bridge â€` a command-line tool
intended only for developer use â€` accessible and ripe for abuse on
such products.
For now, there`s no great answer â€` aside from selecting devices
carefully and sticking with a policy that requires users to
download apps only from a platform`s official storefront, where
the potential for cryptojacking code is markedly reduced â€` and
realistically, there`s no indication that most companies are under
any significant or immediate threat, particularly given the
preventative measures being taken across the industry. Still,
given the fluctuating activity and rising interest in this area
over the past months, it`s something well worth being aware of and
keeping an eye on as 2019 progresses.
6. Poor password hygiene
You`d think we`d be past this point by now, but somehow, users
still aren`t securing their accounts properly â€` and when they`re
carrying phones that contain both company accounts and personal
sign-ins, that can be particularly problematic.
A new survey by Google and Harris Poll found just over half of
Americans, based on the survey`s sample, reuse passwords across
multiple accounts. Equally concerning, nearly a third aren`t using
two-factor authentication (or don`t even know if they`re using it
â€` which might be a little worse). And only a quarter of people are
actively using a password manager, which suggests the vast
majority of folks probably don`t have particularly strong
passwords in most places, since they`re presumably generating and
remembering them on their own.
Things only get worse from there: According to a 2018 LastPass
analysis, a full half of professionals use the same passwords for
both work and personal accounts. And if that isn`t enough, an
average employee shares about six passwords with a co-worker over
the course of his or her employment, the analysis found.
Lest you think this is all much ado about nothing, in 2017,
Verizon found that weak or stolen passwords were to blame for more
than 80 percent of hacking-related breaches in businesses. From a
mobile device in particular â€` where workers want to sign in
quickly to various apps, sites, and services â€` think about the
risk to your organization`s data if even just one person is
sloppily typing in the same password they use for a company
account into a prompt on a random retail site, chat app, or
message forum. Now combine that risk with the aforementioned risk
of Wi-Fi interference, multiple it by the total number of
employees in your workplace, and think about the layers of likely
exposure points that are rapidly adding up.