Mobile Attacks Rise as Devices Become Essential to Productivity
With more people using their mobile devices for work and personal use, hackers are exploiting the vulnerabilities these activities create, according to Verizon’s fifth annual Mobile Security Index (MSI).
According to the report, which surveyed more than 600 people responsible for security strategy, policy and management. about 45% of companies suffered a breach involving a mobile device in the last 12 months—up from just over 20% a year ago.
Companies with a global presence were even more likely to have been affected. More than three in five (61%) had been hit, compared to 43% of organizations with only a local presence.
In addition, more than 70% of organizations said that mobile devices were highly critical to their organization running smoothly, while almost 20% of employees transferred company data to a personal cloud account before leaving a company.
Overall, almost two in three CISOs across all regions agreed that remote working made their organization more vulnerable to cyberattack.
Mobile Devices, Mobile Attacks
“Mobile devices have become the center of our lives,” explained Bud Broomhead, CEO at Viakoo, a provider of automated IoT cybersecurity hygiene. “This enabled threat actors to bridge from your mobile phone into virtually any other part of your life.”
He added that cybercriminals possessed more detailed information about individuals than ever before, which impacted both businesses and consumers.
In addition, most enterprises supported some form of BYOD, which brought a consumer-level hack into the realm of an enterprise being compromised. Broomhead said that ensuring employees are not using personal passwords in their work environment can help to reduce the possibility of compromise.
“However, the blurred lines between work life and home life are making it easier for cybercriminals to perform exploits aimed at enterprise systems and data,” he says.
When asked how critical mobile devices were to the smooth running of their organization on a ten-point scale, 91% of survey respondents answered seven or above—and 78% answered eight or higher. The picture was very similar regardless of the reach of company operations (local, regional or global) and company size (small, medium or enterprise size).
Hank Schless, senior manager of security solutions at Lookout, a security service edge (SSE) provider, agreed that mobile devices are now an essential part of how an organization’s workers stayed productive, both in their work and personal lives.
“They now have instant access to what they need from anywhere, whether it’s cloud-based productivity suites like Microsoft 365 and Google Workspace or SaaS apps like Workday and Salesforce,” he said. “On the same device, they can pay bills, book doctor’s appointments and interact with others on social media.”
Cybersecurity and Systemic Threats
However, the mix of personal and professional use opens organizations up to a broad spectrum of threats on mobile devices.
“Organizations need to think about cybersecurity as a system-wide initiative that is constantly evolving and requires buy-in from every employee,” Schless said. “Making your employees aware of risky behavior on a mobile device can affect the security standing of your entire organization is critical.”
The organization’s IT and security team also need to ensure they’re covering every endpoint against the latest threats—especially personal or unmanaged mobile devices that aren’t under their control.
Broomhead explained that security awareness training is a good starting point, but organizations should build upon it, especially for situations that are unique to them.
“For example, organizations with IoT devices will need to pay special attention to keeping them on separate networks and keeping their firmware up-to-date with the latest security fixes,” he said.
In addition to training, he said organizations of all sizes should have a process to test or audit employees to make sure the security training can be carried through in the actions employees take.
Schless added that the rapid adoption of cloud services has lent itself perfectly to the use of mobile devices.
These apps make it easy for any employee to be productive from anywhere so long as they have a device that can connect to the internet—regardless of if that’s a laptop, smartphone or tablet.
“But this environment also turns the way we think about security inside out,” he explains. “Traditionally, everything resided within a defined space—often in the form of a corporate office.”
Now, users and endpoints can connect from anywhere, which means perimeter-based security solutions can’t help protect against these mobile threats.
These can include anything from a phishing attack delivered via SMS, an app with a critical vulnerability or a public Wi-Fi network that exposes the mobile device to new risks.
Schless said in addition to the need to protect against phishing, app, device and network threats, organizations also need to think more holistically about security.
“As this year’s Verizon MSI alluded to, mobile devices are tightly connected to the cloud,” he said. “So whether the challenge is expanding the use of BYOD or trying to prevent ransomware from infecting your infrastructure, you need to understand that cloud security is a big part of protecting your organization’s sensitive data.”
