If there is one device we as humans increasingly seem unable to live without, it’s our phones – a.k.a mobile devices
We use them for everything, from booking transport to ordering food, checking the weather to watching our favourites movies; and oh my the anxiety should our batteries go dead or we can’t access the Internet for a day! But despite how significant mobile devices are in our modern, daily lives, they are one of the least protected or secured. Mobile device security is at the top of every company’s worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly difficult task. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is $21,155 per day, according to a 2016 report by the Ponemon Institute.
The more realistic mobile device security hazards lie in some of these easily overlooked areas:
A smartphone knows everything about us
A person would probably not consider it smart to leave their debit and credit cards, ID number and just about every other piece of personal information lying about in public, but many people have no problem keeping all that info, along with the log-in credentials required, on their phone. The same phone that may or may not even have a screen lock, much less any real security.
It’s a route into your wallet
Not only is a phone a repository for payment cards, but they are also mobile payment platforms hosting the owner’s Google, Apple or Samsung payment info. This type of convenience leads to the next reason criminals love smartphones.
Autofill has become our best friend
Because we always have our phones, and they have the ability to make simple tasks like entering a bank easy, we have filled them with even more information making them extremely valuable to anyone with a criminal nature.
It may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security. What makes the issue especially vexing is that it often isn’t criminal by nature; rather, it’s a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information. According to specialist insurance provider Beazley, “unintended disclosure” was responsible for a full 41 percent of data breaches reported by healthcare organisations in the first three quarters of 2017 — more than double the next highest cause.
“The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users,” says Dionisio Zumerle, research director for mobile security at Gartner. He suggests turning to mobile threat defence (MTD) solutions — products like Symantec’s Endpoint Protection Mobile, CheckPoint’s SandBlast Mobile, and Zimperium’s zIPS Protection. Such utilities scan apps for “leaky behaviour,” Zumerle says, and can automate the blocking of problematic processes.
The tried-and-true tactic of trickery is just as troubling on the mobile front as it is on desktops. Despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective.
A staggering 90 percent of data breaches observed by Verizon’s Enterprise Solutions division are the result of phishing, according to the company’s 2017 Data Breach Investigations Report. While only 7 percent of users fall for phishing attempts, Verizon says, those gullible guys and gals tend to be repeat offenders: The company estimates that in a typical organisation, 15 percent of users who are successfully phished will be phished at least one more time within the same year.
What’s more, numerous bits of research suggest users are more vulnerable to phishing from mobile devices than desktops — by as much as three times, according to an IBM study, in part because a phone is where people are most likely to first see a message.
A mobile device is only as secure as the network through which it’s transmitting data. In an era where we’re all constantly connecting to public Wi-Fi networks, that means our info often isn’t as secure as we might assume.
Just how significant of a concern is this? According to new research being released by enterprise security firm Wandera, corporate mobile devices use Wi-Fi almost three times as much as they use cellular data. Nearly a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4 percent of devices have encountered a man-in-the-middle attack — in which someone maliciously intercepts communication between two parties. If you don’t have a VPN, you’re leaving a lot of doors on your perimeters open.
There is more to cybersecurity than keeping your data out of the wrong hands. A phone also knows where you are, have been, work, hang out, etc. All bits of info that could be a problem if they happen to fall into the wrong hands.
Criminals have been quick to capitalise on a smartphones many points of entry and exit, such as Wi-Fi, 4G and Bluetooth. For several years now, Bluetooth has been a regular feature on smartphones and other mobile devices. Yet, like GPS, it is still seen as a potential entry point for cybercriminals. The effects of such an attack can result in Bluesnarfing – where a phone’s private information is compromised, or Bluebugging, which allows a criminal to more or less take complete control of your phone. Luckily, while there is a risk, these methods are becoming increasingly harder for hackers to exploit.
Mobile specific scams
Criminals are also able to take advantage of one smartphone feature few people even use today. A phone call. In countries like China, for example, malware can be used to access devices and force them to call premium numbers that charge large amounts. These scams are not only potentially lucrative, but can also spread across large numbers of devices.
Physical device breaches
Last but not least: A lost or unattended device can be a major security risk, especially if it doesn’t have a strong PIN or password and full data encryption.
Consider the following: In a 2016 Ponemon Institute study, 35 percent of professionals said their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN, or biometric security guarding their devices — and about two-thirds said they didn’t use encryption. Sixty-eight percent of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices.
The take-home message is simple: your mobile device security should be treated in the same way you would your own home, bank card and private information.
CybACADEMY courses powered by GoldPhish® educates employees on the cyber risk and helps build a more secure organisation with awareness training.
Our FREE Campaign is aimed at helping smaller businesses get one step ahead of the cyber criminals with Free awareness training.