Mobile security is – or at least should be – at the top of every company’s worry list these days – and for good reason: Nearly all employees now routinely access corporate data from smartphones and that means keeping sensitive info out of the wrong hands is an increasingly complicated business. Therefore, the stakes are higher than ever with the average cost of a corporate data breach being at nearly $4 million, according to a 2018 report by the Ponemon Institute. That’s 6.4% more than the estimated cost just one year earlier. However, while it’s easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world. And yet, we can expect mobile security threats to become more serious in 2019. Here is what we can expect.
1) Leaked data
Data leakage is widely seen as being one of the most worrisome threats to enterprise security in 2019. When it comes to a data breach, companies have a nearly 28% chance of experiencing at least one incident in the next two years, based on Ponemon’s latest research. What makes the issue especially vexing is that it often isn’t nefarious by nature; rather, it’s a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.
The main challenge here is how to implement an app vetting process that doesn’t overwhelm the administrator and doesn’t frustrate the users, so automating the blocking of problematic processes would help the matter significantly.
On the other hand, even that won’t always cover leakage that happens as a result of overt user error – something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place or forwarding an email to an unintended recipient. That’s a challenge the healthcare industry is currently struggling to overcome – “accidental disclosure” combined with insider leaks accounted for nearly half of all reported breaches in 2018.
For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection which is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.
2) Social engineering
A staggering 91% of cyber crime starts with email, according to a 2018 report by security firm FireEye. The firm refers to such incidents as “malware-less attacks,” since they rely on tactics like impersonation to trick people into clicking dangerous links or providing sensitive info. Phishing, specifically, grew by 65% over the course of 2017, the company says, and mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender’s name – making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust.
In fact, users are three times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study – in part simply because a phone is where people are most likely to first see a message. While only 4% of users actually click on phishing-related links, according to Verizon’s 2018 Data Breach Investigations Report, those gullible guys and gals tend to be repeat offenders: The company notes that the more times someone has clicked on a phishing campaign link, the more likely they are to do it again in the future. Verizon has previously reported that 15% of users who are successfully phished will be phished at least one more time within the same year.
Moreover, the line between work and personal computing is also continuing to blur. More and more workers are viewing multiple inboxes – connected to a combination of work and personal accounts – together on a smartphone and almost everyone conducts some sort of personal business online during the workday. Consequently, the notion of receiving what appears to be a personal email alongside work-related messages doesn’t seem at all unusual on the surface, even if it may, in fact, be a ruse.
3) Wi-Fi interference
A mobile device is only as secure as the network through which it transmits data. In an era where we’re all constantly connecting to public Wi-Fi networks, that means your info often isn’t as secure as you might assume.
Just how significant of a concern is this? According to research by enterprise security firm Wandera, corporate mobile devices use Wi-Fi almost 3 times as much as they use mobile data. Nearly 25% of devices have connected to open and potentially insecure Wi-Fi networks and 4% of devices have encountered a man-in-the-middle attack – in which someone maliciously intercepts communication between two parties – within the most recent month. McAfee, meanwhile, says network spoofing has increased “dramatically” as of late, and yet less than 50% of people bother to secure their connection while traveling and relying on public networks.
“These days, it’s not difficult to encrypt traffic,” says Kevin Du, a computer science professor at Syracuse University who specializes in smartphone security. “If you don’t have a VPN, you’re leaving a lot of doors on your perimeters open.”
Selecting the right enterprise-class VPN, however, isn’t so easy. As with most security-related considerations, a tradeoff is almost always required. “The delivery of VPNs needs to be smarter with mobile devices, as minimizing the consumption of resources – mainly battery – is paramount,” Gartner’s Zumerle points out. An effective VPN should know to activate only when absolutely necessary, he says, and not when a user is accessing something like a news site or working within an app that’s known to be secure.
4) Cryptojacking attacks
A relatively new addition to the list of relevant mobile threats, cryptojacking is a type of attack where someone uses a device to mine for cryptocurrency without the owner’s knowledge. Moreover, the cryptomining process uses your company’s devices for someone else’s gain. It leans heavily on your technology to do it – which means affected phones will probably experience poor battery life and could even suffer from damage due to overheating components.
While cryptojacking originated on the desktop, it saw a surge on mobile from late 2017 through the early part of 2018. Unwanted cryptocurrency mining made up a third of all attacks in the first half of 2018, according to a Skybox Security analysis, with a 70% increase in prominence during that time compared to the previous half-year period. And mobile-specific cryptojacking attacks absolutely exploded between October and November of 2017, when the number of mobile devices affected saw a 287% surge, according to a Wandera report.
For now, there’s no great answer – aside from selecting devices carefully and sticking with a policy that requires users to download apps only from a platform’s official storefront, where the potential for cryptojacking code is markedly reduced – and realistically, there’s no indication that most companies are under any significant or immediate threat, particularly given the preventative measures being taken across the industry. Still, given the fluctuating activity and rising interest in this area over the past months, it’s something well worth being aware of and keeping an eye on in the coming year.
5) Physical device breaches
Last but not least – lost or unattended device can be a major security risk, especially if it doesn’t have a strong PIN or password and full data encryption. In a 2016 Ponemon study, 35% of professionals indicated their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN or biometric security guarding their devices – and about two-thirds said they didn’t use encryption. 68% of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices.