Mobile Security Threats Companies Should Take SeriouslyBy Dave Webb | 14 Jul 2020
Smartphone security threats your employees and organisation may face
Mobile security threats company’s should take seriously
Mobile security is at the top of every company's concern list and for good reason. Nearly all employees now routinely access corporate data utilising smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate issue. While it's easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon. Malware currently ranks as the least common initial action in data breach incidents, in fact, coming in behind even physical attacks. That's thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems. The more realistic mobile security hazards lie in some easily overlooked areas:
Social engineering: The tactic of deception is just as troubling on the mobile front as it is on desktops. Despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective. A staggering 91% of cybercrime starts with email, according to a 2018 report by security firm FireEye. The firm refers to such incidents as ‘malware-less attacks’ since they rely on tactics like impersonation to trick people into clicking dangerous links or providing sensitive info. Phishing, specifically, grew by 65% over the course of 2017, the company says, and mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender's name making it especially easy to ‘spoof messages’ and trick a person into thinking an email is from someone they know or trust. Users are actually 3 times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study in part because a phone is where people are most likely to first see a message. Beyond that, the prominent placement of action-oriented buttons in mobile email clients and the unfocused, multitasking-oriented manner in which workers tend to use smartphones amplify the effect and the fact that the majority of web traffic is generally now happening on mobile devices only further encourages attackers to target that front. The stakes only keep climbing. Criminals are now even using phishing to try to trick people into giving up 2-factor authentication (2FA) codes designed to protect accounts from unauthorised access. Turning to hardware-based authentication either via dedicated physical security keys like Google's Titan is widely regarded as one the most effective ways to increase security and decrease the odds of a phishing-based takeover. According to a study conducted by Google, even just ‘on-device authentication’ can prevent 99% of bulk phishing attacks and 90% of targeted attacks, compared to a 96% and 76% effectiveness rate for those same types of attacks with the more phishing-susceptible 2FA codes.
Wi-Fi interference: A mobile device is only as secure as the network through which it transmits data. In an era where we're all constantly connecting to public Wi-Fi networks, that means our info often isn't as secure as we might assume. Just how significant of a concern is this? Corporate mobile devices use Wi-Fi almost three times as much as they use cellular data. Nearly a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4% of devices have encountered a man-in-the-middle attack in which someone maliciously intercepts communication between 2 parties. McAfee says network spoofing has increased dramatically as of late, and yet less than half of people bother to secure their connection while traveling and relying on public networks. it's not difficult to encrypt traffic, and If you don't have a VPN, you're leaving a lot of doors open.
Data leakage: widely seen as being one of the most concerning threats to enterprise security in 2019. Remember those almost non-existent odds of being infected with malware? Well, when it comes to a data breach, companies have a nearly 28% chance of experiencing at least 1 incident in the next 2 years. What makes the issue especially troublesome is that it often isn't nefarious by nature; rather, it's a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information. The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users. Turning to mobile threat defense (MTD) solutions products such as Symantec's Endpoint Protection Mobile. These utilities scan apps for ‘leaky behavior’ and can automate the blocking of problematic processes.These solutions won't always cover leakage that happens as a result of overt user error — something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. That's a challenge the healthcare industry is currently struggling to overcome - ‘accidental disclosure’ was the top cause of data breaches reported by healthcare organisations in the third quarter of 2018. That category combined with insider leaks accounted for nearly half of all reported breaches during that time span. For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.
Out-of-date devices: Smartphones, tablets, and smaller connected devices commonly known as the Internet of Things (IoT) pose a new risk to enterprise security in that unlike traditional work devices, they generally don't come with guarantees of timely and ongoing software updates. This is true particularly on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date both with operating system (OS) updates and with the smaller monthly security patches between them. As well as with IoT devices, many of which aren't even designed to get updates in the first place. Many of them don't even have a patching mechanism built in, and that's becoming more and more of a threat. The IOT is ‘an open door’ according to cybersecurity firm Raytheon, which sponsored research showing that 82% of IT professionals predicted that unsecured IoT devices would cause a data breach (likely catastrophic) within their organisation. A strong policy goes a long way but until the IoT landscape becomes less of a concern, it falls upon a company to create its own security net around them.
Cryptojacking attacks: Cryptojacking is a type of attack where someone uses a device to mine for cryptocurrency without the owner's knowledge. If all that sounds like technical speak, just know this - the cryptomining process uses your company's devices for someone else's gain. It leans heavily on your technology to do it which means affected phones will probably experience poor battery life and could even suffer from damage due to overheating components. While cryptojacking originated on the desktop, it saw a surge on mobile from late 2017 through the early part of 2018. Unwanted cryptocurrency mining made up a third of all attacks in the first half of 2018. Since then, things have reduced, especially in the mobile domain, a move aided largely by the banning of cryptocurrency mining apps from both Apple's iOS App Store and the Android-associated Google Play Store. Still, security firms note that attacks continue to see some level of success via mobile websites (or even just rogue ads on mobile websites) and through apps downloaded from unofficial third-party markets. For now, there's no great answer aside from selecting devices carefully and sticking with a policy that requires users to download apps only from a platform's official storefront, where the potential for cryptojacking code is markedly reduced. Realistically, there's no indication that most companies are under any significant or immediate threat, particularly given the preventative measures being taken across the industry. Still, given the fluctuating activity and rising interest in this area over the past months, it's something well worth being aware of and keeping an eye on
Inadequate passwords: You'd think we'd be past this point by now, but somehow, users still aren't securing their accounts properly and when they're carrying phones that contain both company accounts and personal sign-ins, that can be particularly problematic. Most people seem completely oblivious to their oversights in this area. In the Google and Harris Poll survey, 69% of respondents gave themselves an A or B at effectively protecting their online accounts, despite subsequent answers that indicated otherwise. Clearly, you can't trust a user's own assessment of the matter.
Physical breaches: Something that seems especially hard to believe but remains a disturbingly realistic threat. A lost, or unattended device can be a major security risk, especially if it doesn't have a strong PIN or password and full data encryption. Consider the following, in its 2019 mobile threat landscape analysis, Wandera found that 43% of companies had at least one smartphone in their roster without any lock screen security. And among users who did set up passwords or PINs on their devices, the firm reports, many opted to use the bare-minimum four-character code (e.g. 1-2-3-4) when given the opportunity. The take-home message is simple -leaving the responsibility in users' hands isn't enough - don't make assumptions make policies.
Mobile ad fraud: Mobile advertising generates a lot of revenue. Cyber criminals follow the money, so it’s no surprise they’ve found ways to siphon cash from mobile ad revenue streams. Estimates on how much ad fraud costs vary, but Juniper Research projects a $100 billion loss per year by 2023. Ad fraud can take several forms, but the most common is using malware to generate clicks on ads that appear to be coming from a legitimate user using a legitimate app or website. For example, a user might download an app that offers a legitimate service, such as a weather forecast or messaging. In the background, however, that app generates fraudulent clicks on legitimate ads that appear on the app. Publishers are typically paid by the number of ad clicks they generate, so mobile ad fraud steals from companies’ advertising budgets and can deprive publishers of revenue. The biggest victims are mobile advertisers and ad-supported publishers, but ad fraud does harm to mobile users, too. As with cryptojacking, ad fraud malware runs in the background and can slow a smartphone’s performance, drain its battery, incur higher data charges, or cause overheating. Based on its own tracking data, security vendor Upstream estimates that smartphone users lose millions of dollars each year due to higher data charges from mobile ad malware. Android is by far the most popular platform for mobile ad fraud.
Mobile technology is now an essential part of modern business, with more of our data being stored on tablets and smartphones. What's more, these devices are now as powerful as traditional computers, and because they leave the safety of the office (and home), they need even more protection than 'desktop' equipment. With this in mind, here are some quick tips that can help keep your mobile devices (and the information stored on them) secure:
o Keep your phone locked
o Set secure passwords - switch on password protection
o Keep your device's operating system (OS) and Apps up-to-date
o Make sure lost or stolen devices can be tracked, locked, or wiped
o Only connect to secure Wifi
o Beware of downloads
o Don't’ Jailbreak or Root’ your mobile – this is the practice of removing the safeguard the manufacturers have put in place so you can access anything you want
o Encrypt your data
o Install anti-virus software