The security of mobile devices is the top priority of many companies right now. It’s been building to this for some time now since many corporate workers handle sensitive data on their smartphones at all moments. Keeping this information from falling on the wrong hands is a must and the figures that get dragged down after a significant data leak always leave a company in the red. Just in 2018, the average cost of any form of corporate data breach represented a loss of $3.9 million for any corporation given the size of the leak, according to the Ponemon Institute. The figure represents a 6.5% than the overall costs of any leak in the previous year.
A lot of insiders still put the blame of data leaks on outstanding acts of piracy or recurrent use of malware by unethical coders. The hard truth is that these excuses don’t have wings anymore. Mobile malware infections are pretty uncommon these days. The real odds of catching a virus on your smart device are significantly lower than the odds of being attacked by Shark in the ocean. As it happens, the nature of mobile malware makes it easy to spot it on. Top this with the fact that the software created to protect modern operating systems is better than ever and you have a winning combination right there.
One of the most realistic takes about mobile security is that some areas are genuinely overlooked, and the big companies are already planning to do something about in 2024.
Navigate to the Threats Quickly:
1. Weak Password Maintenance
2. Work with Social Engineering
3. GPS Phone Trackers
4. Outdated Devices
5. Interference on Wi-Fi Networks
6. Data Leaks
7. Physical Breaches
8. Crypto Jacked Devices
1. Weak Password Maintenance
It’s hard to put the finger on this considering the number of problems that people still have around the world for not having a strong password to secure their data. The consequences are always documented all over the place, from celebrities to big tech companies having their secrets leaked because they didn’t manage a strong password. A lot of people still goes out every day with unsecured accounts and managing data of the companies they work for without taking proper measures to secure it.
A survey handled by Harris Poll and Google found out that half of the people in American reuse passwords on multiple platforms. It was also concerning to find that almost a third of them are not using two-step authentication and most of the people in this sample don’t even know what this securing mechanism is. Only a quart of the people in the sample of the pool use a password manager, this piece of information suggests that most of these folks don’t have a particularly strong password in the platforms they have access to. Most likely they are generating their own codes and remembering them.
To make matters even worse, according to study handled by LastPass in 2018, most professionals’ workers on a company use the same passwords for work-related tools and for their social media accounts as well. If that is not enough, there is also the fact that any given employee shares at least seven passwords with a co-worker during the time of their employment. This data may not seem truly significant at first sight, but Verizon found out in 2017 that weak passwords were the usual cause for at least 80% of all the breaches related to hacks that made the headlines.
Just take a moment to appreciate the whole picture if you are a business owner. A single mobile device in particular on the hands of a worker who handles sensitive data can be a source of trouble if they sing on multiple apps, websites, and other services. If the worker uses this dangerous system of having the same password for every single account they have on anything, including the system of the workplace, this can lead to massive trouble for the company itself if the worker chooses to log in on any of these services using a public Wi-Fi network. Now picture this same problem multiplied by the total number of employees in your company. It’s a ticking time-bomb.
One of the most exasperating aspects of this study is that almost everyone is oblivious to this oversight. At least 69% of the people in the sample of the study managed by the Harris Poll and Google gave themselves a top qualification in their capabilities to protect their online accounts, even after being shown with indisputable evidence of the contrary. The only thing that is pretty clear is that you can trust a user’s personal assessment of this matter.
2. Work with Social Engineering
Trickery is one of the oldest methods to make people fall for scams all over the world. The internet opened a new window of opportunity for these bad guys, and despite the best efforts on every front to prevent frauds, people still fall for them flat, no matter if they are using their desktops or their smartphones. It’s very troubling that these social engineering cons remain so effective, but it also happens because they always find a way to reinvent themselves.
Most cyber crime happens on e-mails accounts. According to security firm FireEye at least 90% of the affected fall for an e-mail, they shouldn’t have clicked on in the first place. Most of these incidents rely on tactics such as impersonation of established companies or services to make people click on dangerous links or to provide sensitive information. Phishing is the most common cybercrime; it grew exponentially in 2017 to at least 65% across the internet. Mobile users are the ones who fall for it more easily since a lot of these fake e-mails are sent from a trusted source that has managed to spoof a message to trick a person.
IBM also has released the results of a study that reveals that users are three times more likely to fall for a phishing attack on a mobile phone than a desktop. This happens because smartphones are usually where most folks get to see a message first. According to Verizon, only 4% of e-mail users click on phishing links. Those who are gullible enough to fall for it once tend to be repeat offenders. The company also noted that the more someone falls for a phishing link, the more likely they are to follow a link again. Verizon has reported that at least 15% of users who are phished, will be phished again within the same year.
John Robinson, a strategist of information security at PhishMe, has perceived mobile susceptibility to being on the rise, most likely driven by the increasing number of users in mobile devices and the continued growth of work environments where the employees have to bring their own devices. PishMe uses real-world simulations to teach workers how to recognize and respond to phishing attempts. Robinson also notes that all of this happens because there is almost no difference now between personal and work computing since more people are using multiple inboxes that are interconnected to combined work and personal accounts on a smartphone. It’s a given that at some point anyone will deal with personal issues on the device where they handle for work too.
3. GPS Phone Trackers
These are mobile apps only, but can come as a desktop software too, which can track & spy a cell phone location remotely without owner knowing it. Trap for this lies if a phone owner leaves “allow use of location” option inside their mobile device settings. According to the Wiper’s post, there are several different methods and tools developed in this purpose on app market already.
Make sure to review your location settings in your smartphone and only allow location use to the apps you trust and which are well known. Third party applications should always be switched off in this settings section.
4. Outdated Devices
A lot of smartphones and tablets that work via networks pose risks to corporate security. The BYOD mentality is partly to blame on this behalf since unlike a work-assigned device, your tablet is not programmed to perform a timely update on the software that needs to keep running. Android users are vastly familiar with this problem since the majority of manufacturers of devices running the OS are truly ineffective at keeping their products OS updates properly on both ends: operating system updates and the monthly security patches to fix issues. Many of these devices are not even designed to receive updates at all.
Even with the increased likelihood of an attack on the horizon, Ponemon expresses that the extensive use of mobile platforms keeps elevating the overall cost of any form of a data breach. The large numbers of work-connected devices only bring up the numbers on the risk factor front. IoT or the Internet of Things is regarded as an open door, according to Raytheon a cyber-security firm that sponsored a study that shows how at least 82% of IT professionals foresaw that unsecured devices would be the cause a data breach that would be catastrophic to any organization. Adopting new policies does go a long way still. Android devices can fix this problem, but it calls for the IoT landscape to be more organized.
5. Interference on Wi-Fi Networks
Most smart devices are as secure as the network used to transmit data. These days no one is a stranger to public Wi-Fi networks, but this also means that your information is not as secure you might think it is.
It might be useful:
How to Hack a Wi-Fi Password
According to research managed by Wandera, a security enterprise, most corporate smartphones use Wi-Fi networks almost as three times as they use data transmission. At least a quarter of the devices have been connected to an open Wi-Fi network, and at least 4% of all devices have faced some form of attack when someone intercepts a communication between two parties with malicious intent. McAfee supports this data by stating that network spoofing has increased a lot in the last year, and still less than half of these people affected wouldn’t even bother to place new security methods on their connections while relying on public networks.
Kevin Du, a specialist on smartphone security that also works as a professor at the Syracuse University states that it’s not difficult to encrypt traffic these days and wandering without even a basic VPN is like leaving a door open to potential attackers.
Choosing the right VPN for a company, however, is not that easy. As it happens with most considerations relate to security, some sort of trade-off is always required. Dionisio Zumerle, research director for mobile security at Gartner states that the deliverance of VPNs has to be smarter with mobile devices. It also has to minimize resources consumption such as battery time. An advantageous VPN is the one that activates when is necessary, and not when a user is accessing a regular website or an app that is known to be secure.
6. Data Leaks
Yeah, the funny sounding same is of this threat doesn’t even compare to the amount of damage it can do to any company out there. This is probably the single greatest threat to corporate security in 2019. Just at the beginning of this analysis, we mentioned the low odds of being infected with malware. When it comes to a data breach, according to Ponemon’s all corporations out there, have 29% of a chance to experience one incident over the next two years, meaning that any company has a one in four chances of being affected by this problem.
One of the most infuriating traits of this problem is that it can only be user-generated, which means that someone on your company is poised to screw up big time at some point by making a terrible decision about the apps they use on their devices and the means to transfer information.
Dionisio Zumerle, of Gartner, states that the challenge is to implement an app-vetting process that is not overwhelming for the administrator and avoids frustrating the users. He also speaks about introducing mobile threat defense solutions, such as products like the Endpoint Protection Mobile software from Symantec, or the SandBlast Mobile program from CheckPoint. There is also ZIPS Protection from Zimperium. All these utilities can scan apps for any form of leak behavior, and the block of troublesome processes can be automated.
These, of course, are just a few steps in the right direction. Applying these won’t cover any leak that happens as a result of human error. Something simple as the transfer of company files using a public cloud storage service, dragging and pasting sensible data in the wrong place, or even forwarding an e-mail to the wrong recipient. Those are the challenges that the IoT healthcare industry is struggling to solve. Beazley, a popular Insurance provider, has reported that “accidental disclosure” was the main cause data breaches reported by organizations such as theirs in the first half of 2018. This category, in combination with “insider leaks,” is the cause of almost half the reported breaches during that time.
7. Physical Breaches
If there is something that is truly overseen a lot of times are unattended devices. As it happens, they are also a major security risk for any company, especially if they don’t have a PIN for protection of a strong password.
Just take a moment to consider the following: A study managed by Ponemon in 2016 showed that at least 35% of every professional working on a company said that their smartphones and tablets had no measures in place to secure corporate data and the company mandated none. It gets worse since at least half of the people surveyed stated that they had no PIN, password or biometric security to guard their devices. Two-thirds of the people in the same sample said they didn’t know what encryption was or how it was used. And at least 68% of the respondents also indicated that they shared passwords on their personal and work accounts that are accessed on their mobile devices.
For companies the message is blunt and straightforward: If you leave the responsibility of the care of your company’s data on your workers, you are playing a hazardous risk. Never make assumptions on this regard, is best to create policies and enforce them. You will be grateful in the future.
8. Crypto Jacked Devices
The last threat of the list is a relatively new one, but it requires study and consideration on your need if you are the owner of a company that handles a steady flow of data. There is a new modality of attack for mobile devices as well as desktops that have been nicknamed “Crypto jacking“, while the attack is pretty simple the outcome is disastrous on your end. The attack consists of a third party using your device to mine cryptocurrencies without your knowledge. Essentially someone else is using your computer access or your smart devices to make money at your expense. Since the decentralized process leans heavily physical tech to achieve its goal the affected devices will experience overheating damages and poor battery life.
Crypto Jacking originated first on desktop computers, but it saw a big surge on mobile devices since 2017 through most of 2018. According to a Skybox Security analysis, there are many report s of underlain cryptocurrency mining that piled up to make the grand total of one-third of all the cyber-attacks that happened on the first half of 2018. The numbers kept rising until it was determined that the increasing attacks made for an overall total of almost 70% of all the interferences experienced by users on their smart devices, seven times the numbers of the previous years. Mobile Crypto Jacking reached its peak between October and November of 2017 when the price of Bitcoin reached a historical landmark of $20,000 apiece. The number of devices affected experienced a surge of 287% according to a Wandera.
After the big drop suffered by Bitcoin, things have settled again, especially in the mobile front, It also helped a lot that Apple and Google banned cryptocurrency mining apps from the iOS App Store and Google Play Store the last summer. A lot of security firms still report that the attacks continue to see some success on mobile websites or in rogue ads placed on mobile sites. There is also a lot of apps that can be downloaded from unofficial third-parties to keep engaging in these activities. A few analysts have also shared their concerns about the possibility of Crypto Jacking by using internet set-top boxes, used by some companies to streaming video. According to Rapid7, a security firm, some hackers have found a way to take advantage of the command-line tool intended for developers as a loophole to make the Android Debug Bridge easy access to abuse other devices using remote meanings.