Mobile security is at the top of every company’s worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, a trend that’s grown even more prominent thanks to the ongoing global pandemic. The vast majority of devices interacting with corporate data are now mobile, in fact — some 60%, according to Zimperium — and that number is only bound to keep climbing as the world acclimates to our new remote-work reality.
All that means keeping sensitive information out of the wrong hands is an increasingly intricate puzzle. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is a whopping $3.86 million, according to a 2020 report by the Ponemon Institute. That’s 6.4% more than the estimated cost just three years earlier, and the nature of the pandemic is expected to bring that cost up further yet, given the extra challenges presented by the work-from-home arrangement.
While it’s easy to focus on the sensational subject of malware, the truth is that mobile malware infections are uncommon in the real world — with your odds of being infected significantly less than your odds of being struck by lightning, according to one memorable estimate. Malware ranks as one of the least common initial actions in data breach incidents, as noted by Verizon’s 2020 Data Breach Investigations Report. That’s thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems.
The more realistic mobile security hazards lie in some often-underemphasized areas, all of which are only expected to become more pressing in the months ahead:
1. Social engineering
The tried-and-true tactic of trickery is more troubling than ever in light of the pandemic, and that’s especially true on the mobile front. Phishing attacks have increased six-fold since the start of COVID, according to Zimperium, and mobile devices are now the main target — with COVID-connected schemes, specifically, on the rise.
“[Scammers] know people are working from home and are spending more time on their mobile devices and are not taking the same precautions as they may on traditional computers,” says Nico Chiaravillio, vice president of security research at Zimperium. “From an attacker’s perspective, it’s supply and demand.”
Think it couldn’t affect your company? Think again. A staggering 91% of cybercrime starts with email, according to a report by security firm FireEye. It refers to such incidents as “malware-less attacks,” since they rely on tactics like impersonation to trick people into clicking dangerous links or providing sensitive info. Phishing has been growing rapidly over the past few years, the company says, and mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender’s name — making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust.
What’s more, despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective in the mobile domain. Users are three times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study — in part because a phone is where people are most likely to first see a message. Verizon’s research supports that conclusion and adds that the smaller screen sizes and corresponding limited display of detailed information on smartphones (particularly in notifications, which frequently include one-tap options for opening links or responding to messages) can also increase the likelihood of phishing success.
Beyond that, the prominent placement of action-oriented buttons in mobile email clients and the unfocused, multitasking-oriented way workers tend to use smartphones amplify the effect. The fact that most web traffic is now happening on mobile devices only further encourages attackers to target that front.
While only around 3.4% of users actually click on phishing-related links according to Verizon’s most current data — earlier Verizon research indicates those gullible guys and gals tend to be repeat offenders. The company notes that the more times someone has clicked on a phishing campaign link, the more likely they are to do it again in the future. Verizon has previously reported that 15% of users who are successfully phished will be phished at least one more time within the same year.
“We do see a general rise in mobile susceptibility driven by increases in mobile computing overall [and] the continued growth of BYOD work environments,” says John “Lex” Robinson, information security and anti-phishing strategist at PhishMe, a firm that uses real-world simulations to train workers on recognizing and responding to phishing attempts.
Robinson notes that the line between work and personal computing is also continuing to blur. More workers are viewing multiple inboxes — connected to a combination of work and personal accounts — together on a smartphone, he notes, and almost everyone conducts some manner of personal business online during the workday (even when there isn’t an active pandemic and a forced work-from-home environment). Consequently, the notion of receiving what appears to be a personal email alongside work-related messages doesn’t seem at all unusual on the surface, even if it may in fact be a ruse.
The stakes only keep escalating. Cybercrooks are now even using phishing to try to trick folks into giving up two-factor authentication codes designed to protect accounts from unauthorized access. Turning to hardware-based authentication — either via dedicated physical security keys like Google’s Titan or Yubico’s YubiKeys or via Google’s on-device security key option — is widely regarded as the most effective way to increase security and decrease the odds of a phishing-based takeover.
According to a study conducted by Google, New York University, and UC San Diego, on-device authentication can prevent 99% of bulk phishing attacks and 90% of targeted attacks, compared to a 96% and 76% effectiveness rate for those same types of attacks with the more phishing-susceptible traditional 2FA codes.
Beyond that, mobile-specific training and carefully selected phishing detection software are the smartest ways to keep a company’s employees from becoming the next phishing victims. “You are as only strong as the weakest link in the chain,” says Zimperium’s Chiaravillio.
2. Data leakage
It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security in 2021 — and one of the most costly, too. According to the latest research by IBM and Ponemon Institute, having a purely remote-based team can increase the average cost of a data breach by a whopping $137,000.
What makes the issue especially vexing is that it often isn’t nefarious by nature. Rather, it’s a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.
“The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users,” says Dionisio Zumerle, research director for mobile security at Gartner. He suggests turning to mobile threat defense (MTD) solutions — products like Symantec’s Endpoint Protection Mobile, CheckPoint’s SandBlast Mobile, and Zimperium’s zIPS Protection. Such utilities scan apps for “leaky behavior,” Zumerle says, and can automate the blocking of problematic processes.
Even that won’t always cover leakage that happens as a result of overt user error — something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.
3. WiFi interference
A mobile device is only as secure as the network through which it transmits data. In an era where we’re all constantly connecting to networks that might not be optimally secured — be they improperly configured home networks, for remote workers, or public WiFi networks — our information frequently isn’t as protected as we might assume.
Just how significant of a concern is this? According to research by Wandera, in a more typical year, corporate mobile devices use WiFi almost three times as much as they use cellular data. Nearly a quarter of devices connect to open and potentially insecure WiFi networks, and 4% of devices encounter a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties — within an average month. Those numbers have dipped this past year due to reduced travel and fewer physical businesses being open during COVID, but that doesn’t mean the threat is gone — or that there’s no need to remain ahead of the game, even with employees working mostly from home.
“Rather than relying on man-in-the-middle attack detection to be reactive, we recommend organizations take a more proactive approach to securing remote connections,” says Michael Covington, VP of product at Wandera. “The easiest thing companies can do to encourage proper WiFi security is to simply adopt a zero-trust network access model for remote work.”
4. Out-of-date devices
Smartphones, tablets and smaller connected devices — the internet of things (IoT) — pose a risk to enterprise security in that unlike traditional work devices, they generally don’t come with guarantees of timely and ongoing software updates. This is particularly apparent on the Android front, where the vast majority of manufacturers are embarrassingly ineffective at keeping their products up to date — both with operating system updates and with the smaller monthly security patches — as well as with IoT devices, many of which aren’t even designed to get updates.
“Many of them don’t even have a patching mechanism built in, and that’s becoming more and more of a threat these days,” says Kevin Du, a computer science professor at Syracuse University who specializes in smartphone security.
In 2020, some 28% of businesses were relying on devices that not only had outdated operating system software but had software with a known security vulnerability, according to Wandera. “Though there’s certainly a trend toward allowing more unmanaged devices to be used by remote workers, the current situation seems to have put a spotlight on the real risks encountered when security posture gets too lax,” says Covington.
Adding to the pandemic-centric worry, Wandera’s data indicates a 100% increase in connections to “inappropriate content” during work hours since the start of the COVID crisis — and, well, those sorts of sites are notorious for trying to trick visitors into downloading shady stuff (or, erm, so I’ve heard). An outdated operating system makes any manner of risky material even more risky since proper protections might not be in place.
Increased likelihood of attack aside, an extensive use of mobile platforms elevates the overall cost of a data breach, according to Ponemon, and an abundance of work-connected IoT products only causes that figure to climb higher. The IoT is “an open door,” as cybersecurity firm Raytheon puts it. Raytheon sponsored research that showed 82% of IT professionals predicted that unsecured IoT devices would cause a data breach — likely “catastrophic” — within their organization.
A strong policy, however, can go a long way. Some Android devices do receive timely and reliable ongoing updates and measures that can be taken to improve the security of practically any phone. Until the IoT landscape becomes less of a wild west, it falls upon a company to create its own security net around them.
5. Poor password hygiene
You’d think we’d be past this point by now, but somehow, users still aren’t securing their accounts properly. When they’re carrying phones that contain both company accounts and personal sign-ins, that can be particularly problematic.
A survey by Google and Harris Poll found just over half of Americans reuse passwords across multiple accounts. Equally concerning, nearly a third aren’t using 2FA (or don’t know if they’re using it — which might be a little worse). Only a quarter of people are actively using a password manager, which suggests the vast majority of folks probably don’t have strong passwords in most places, since they’re presumably generating and remembering them on their own.
Things only get dicier from there: According to one LastPass analysis, a full half of professionals have admitted to using the same passwords for both work and personal accounts. If that isn’t enough, an average employee shares about six passwords with a co-worker over the course of their employment, the analysis found.