Cybersecurity compromises are commonplace in the news, but rarely is it cited the compromise involved a mobile device. Attribution typically falls to vulnerabilities, social engineering, or data left in the open. With no mention of mobile devices, the perception is mobile devices are secure.
In other words, there’s no smoke, so there’s no perceived fire in the mobile threat landscape.
That perception is not accurate based on the data. A recent study by Verizon found more than 33% of businesses had a compromise involving a mobile device in 2018. The data points to a significant uptick versus 2017, in which 27% of respondents had said a mobile device was involved.
The reason for this uptick are cited as businesses “compromising mobile security to get the job done.” I believe the reality is businesses have not prioritized security for mobile devices as they perceive them to be secure, or they would not compromise.
Most interactions I’ve had with security professionals think phishing or social engineering is the only real threat in the mobile space. Given that app stores are relatively well patrolled, at least in North America, the belief is applications being installed don’t have malware. The problem is even apps from the controlled iOS and Android stores slip through with malware. And the risk is growing higher given the number of apps is in the billions.
Malware isn’t the only vector threat actors can exploit as mobile devices present other targets, such as rogue access points, jailbroken phones, and outdated OS version on older phones. Leveraging these vectors requires new Tactics, Techniques, and Procedures (TTPs), and threat actors are catching up with them.
Simultaneously, mobile devices are becoming a more appealing target for threat actors. Factors include:
- There is a growing attack surface
- The Bring Your Own Device (BYOD) trend is increasing the number of mobile devices in the workplace;
- More work is being done on mobile devices in general as they displace the traditional laptop and desktop; and
- Mobile banking is now displacing other web-based banking in terms of usage
- User awareness is low
- Mobile devices are believed to be secure by end users, making it less likely they would think they are under attack
- Attacks on mobile devices are growing more sophisticated and easier to use
- The ability to buy mobile malware is becoming easier; and
- Hardware and software enabling mobile exploits are more prevalent
Mobile Security Threats: Where is the Fire in Mobile Security?
One of the most notable findings in the study was 67% of organizations say that they are less confident about their mobile device security in 2018. Organizations are aware that mobile devices are a growing threat. Compromising to get the job done has taken a toll on their confidence.
Clearly, there’s a high fire danger here and the smoke is showing. Media attention just hasn’t caught up.
The key for organization’s security is then to prevent the fire before it happens. Many organizations now realize mobile devices are an unprotected endpoint with access to or containing all of the information of a traditional endpoint. And while there are some overlaps in what you protect – email, calendars, etc., – the way you solve the traditional endpoint security problem is completely different than how you solve the mobile security problem.
Being proactive is better than being caught unaware. At a minimum, mobile threat defense (MTD) should be considered a high priority in the face of the rising threat.
If you haven’t done so:
- Define a comprehensive mobile security policy;
- Determine how many mobile devices are connecting to your corporate network;
- Identify data at risk from storage or transaction on mobile devices; and
- Consider implementing a mobile threat defense solution (mobile endpoint protection) for your users, especially those that BYOD.