It feels like every article about cyber security starts with the following:
Cyber attacks are becoming increasingly sophisticated as cyber criminals learn how to use and exploit new technologies; the ‘security professional vs hacker’ dynamic really has morphed into a continual game of cat and mouse.
But it’s true, security threats are evolving at a rate of knots.
You only need to take note of some of the threats that have emerged in recent times: cryptojacking, that takes advantage of an unsuspecting user’s device resources; malvertising which can obfuscate adblockers; punycode attacks that appear as innocent characters in URLs; phishing tools that bypass 2fa, there are so many different techniques cybercriminals can deploy to attack an organization, so many that it’s difficult for security teams to keep up.
With the threat landscape rapidly evolving, it’s vital that companies take proactive measures to mitigate their attack surface and get a holistic view of their IT infrastructure. To think your organization is bulletproof would be naive, even negligent, it’s an attitude akin to Lehman Brothers and Enron.
The recent and very public examples of security breaches affecting internationally recognized organizations are demonstrative of how vulnerable modern companies are when it comes to cyber threats, and failing to adopt a risk averse ethos can be incredibly detrimental.
Why do enterprises need to be (more) concerned about security in 2019?
Firstly, it’s expensive.
From a fiscal perspective, the total cost of a cyber attack is estimated to be over $3.86 million, or $148 per employee according to Ponemon. Recent examples of Equifax, Carphone Warehouse and Uber are telling of how expensive data breaches can be for an organization. The cost of a comprehensive security solution is much less.
Then there’s the reputational risk. Big data breaches can be hugely damaging to corporate reputations, and in some cases irreparable. We only need to look at Facebook’s crisis in 2018, how security problems have plagued the tech giant’s reputation and how users flocked away from the platform.
The worrying trend is that cyber criminals are turning their attentions away from individuals to companies. The NCSC announced that there continues to be a growing threat to UK businesses, reportedly up 55% according to a quarterly report.
Phishing continues to be a persistent problem with 60% of organizations having experienced a mobile phishing incident, however, the worrying trend is how phishing attacks are being carefully tailored to the enterprise.
According to a phishlabs study, Software as a Service (SaaS) is an industry that has experienced significant growth in the number of phishing attacks, whereby cyber criminals impersonate services such as Dropbox or Slack to phish for user credentials.
Another phishing technique that has seen growth is Business Email Compromise (BEC) attacks whereby a scammer will pretend to be someone within the organization. In fact, the FBI announced that there had been a 136% increase in BEC scams between December 2016 and May 2017 accounting for $12 billion in redirected funds.
Phishing isn’t the only strain of cyber threat to redirect its attention toward the enterprise, malware has started making inroads. Recently, the Ryuk ransomware infected enterprises with another malware, a trojan known as Trickbot. It patiently waited, profiling victims, identifying enterprises and discarding smaller organizations. It allowed operators to generate $3.7million worth of bitcoin since August 2018.
On top of the different forms of attack, probably one of the more worrying trends is how cyber criminals are using emerging technologies to advance their threats, namely through the application of artificial intelligence (AI) and machine learning (ML). AI and ML have longed been heralded as the silver bullet for pretty much everything and cyber criminals are beginning to make use of these technologies to increase the evasiveness of their attacks.
Businesses have been investing heavily in their cyber-security infrastructure with worldwide spending on information security products and services estimated at $114 billion in 2018, however mobile devices in most organizations remain an unprotected asset left vulnerable to cyber attacks – an easy way in for opportunistic cyber criminals.
Why are hackers targeting mobile devices?
Mobile Adoption & Usage
Mobile usage has surpassed that of the desktop and its global market share is practically on par; 4G-LTE has accelerated adoption and we’ve now got 5G on the horizon. We’ve quickly embraced smartphones as our device of choice and the platform for future development. Business benefits include increased flexibility and productivity, however this increase in mobile data traffic and the adoption of business mobile applications like email and CRM apps means that more sensitive corporate data, that was previously protected by a comprehensive onsite infrastructure, is now vulnerable to app leaks, mobile malware, and man-in-the-middle attacks as soon as mobile devices leave the safety of the internal security infrastructure.
Not wanting to state the obvious, but smartphones are just compressed versions of our desktops (duh) with much of the same functionality, less friction in terms of accessibility and far more aligned with modern lifestyle. In our nomophobic culture, where our mobile devices are seldom out of reach, employees are having more and more touchpoints with their smartphones, 40% of people check work emails five times a day outside office hours.
From a cyber criminal’s perspective, there is so much more data up for grabs on a mobile phone, data that is continually updated – location data, personal and corporate login credentials and audio recordings.
Mobile User Behavior
Our user behavior is very different on a mobile device compared to a desktop. We’re often in a distracted state, the screen is much smaller and our fingers operate as an imprecise cursor – it’s very easy to accidentally click on a dubious attachment in an email or a suspicious link in a text. We’re also somewhat blasé about app permissions, how many times have you thoroughly read through the permissions you give new apps? We are used to treating our phones as personal devices and use them almost constantly; phones are checked as soon as we wake up in the morning to last thing before bed when we are tired, in other words, our guard is down when we are on our mobile devices.
Comparing mobile security with more traditional network security, you would be hard pushed to find a company without a comprehensive solution for the latter, in fact, it would be considered irresponsible and negligent to not have a solution in place, yet this attitude, this level of vigilance isn’t the same for mobile security. Solutions have been slowly adopted for mobile, Gartner expects 30% of organizations to have a mobile threat defense (MTD) solution in place by 2020, an increase from less than 10% in 2018, which seems on the low side given how many companies use mobile technology on a daily basis.
The culmination of all these trends mentioned above makes mobile an attractive form factor for cyber criminals. Now old-school attacks that we had learned to combat on desktops are working on mobile and cyber criminals are reaping the rewards. Additionally, there are some mobile attack vectors that non-mobile security solutions just can’t protect against.
There are a number of misconceptions when it comes to our smartphones: official app stores are safe, iOS can’t get viruses, apps from trusted brands are safe, mobile device management (MDM) is enough, but the reality is a smartphone is just as susceptible to attacks. More traditional network security fails to cover some of the attack vectors associated with mobile devices, namely short message service (SMS) and apps.
SMS attacks are very specific to mobile devices and ultimately come down to the installation of malware or stealing login credentials. Smishing, the SMS form of phishing, is a common approach whereby attackers socially engineer victims into installing malicious software onto their device or unknowingly sharing their sensitive data. This threat is further perpetuated by SMS spoofing, whereby suggested contacts features allow the attacker to be misassociated with a credible contact. Having proper protections in place to ensure that employees aren’t duped into entering their details and installing malicious programs onto their devices is more important than ever.
App leaks are an issue you’ve probably heard a lot about in the news. Without a proper mobile security solution in place, like mobile threat defense, you’re leaving your company exposed to sensitive data being leaked. Some recent examples include:
- Strava leaked the exercise routines of military personnel
- MyFitnessPal leaked usernames, email addresses and scrambled passwords
- Commercial spyware app, TeenWipe, leaked the account details of parents and children
- Air Canada’s app suffered a data breach resulting in the suspected loss of thousands of its customers’ personal details
These are all well-known brands and as consumers, we rely on these companies to adopt security best practices. It is important to consider the legal responsibility of a business to comply to GDPR regulations, and yet a lot of companies have no visibility or measures in place to understand and prevent data leaks on their mobile devices that can happen even by using seemingly trustworthy, mainstream apps.
Many high profile app data leaks are down to negligence more than malice however, malicious apps are a problem for both the Apple Store and Play Store, although they tend to affect the latter more often. Both official app stores have processes in place to catch malicious apps prior to being uploaded for consumption, but, occasionally, the odd naughty app sneaks through. Just recently, Google had to remove a number of apps from its play store due to being infected with malware.
On top of downloading apps from official sources, companies need to be wary of employees downloading apps from unofficial sources or sideloading apps. Jailbreaking or rooting devices compromise OS security features, opening up the device to new potential threats, which may also be symptomatic of high-risk user behavior.
Why should enterprises invest in Mobile Security in 2019?
With cyber security threats, mobile usage and attacks targeting businesses continually on the rise it is important to acknowledge that cyber criminals are turning their attention to mobiles as an easy way in to an otherwise secure corporate network and with so many new attack vectors to choose from on mobile, the end user is not prepared to handle these new attacks and the cyber criminals are seeing success. Although MDM and UEM solutions are a great first step towards gaining control over an enterprise mobile estate: as Gartner has stated “Malicious threats or data leakage risks elude EMM controls.” Mobile Threat Defense is the new security frontier that businesses need to begin to invest in to make sure that their corporate network and data is secure. Wandera provides analyst rated and industry-leading Mobile Threat Defense.