It is 2018 – the threat landscape is intensifying and the quantity of mobile devices is soaring. That means the attack surface is broad and security practitioners have their hands full.
Despite the fact that manufacturers have built-in security protections, and malware does not affect endpoints as severely as it does in a desktop environment, there are certainly a number of mobile threats poised to challenge or puzzle enterprise security pros in the coming year.
While these challenges are often difficult to defend against, the best remedy for inactivity is awareness. Knowledge is power for the practicing cyber security professional. The elements of this story are particularly crucial in an environment where there is a growing number of both bring your own device (BYOD) setups and corporate-issued devices.
There is also a blending of work and personal activity on these devices, meaning practitioners have their hands full in guarding the perimeter and fortifying their overall defenses. Endpoints can be harnessed into larger distributed denial of service (DDoS) attacks, or used to obtain exceedingly sensitive data. With that in mind, let’s examine different aspects of mobile security that enterprise pros should both be aware of, and act against.
Phishing
Phishing campaigns are threatening to almost every corner of the enterprise – from desktops, to laptops, to mobile devices and/or other internet of things (IoT) devices.
Unsurprisingly, it’s particularly crippling on the mobile front. That is, employees are still prone to opening up malicious links/content – especially links engineered to look authentic.
In discussing this trickery that could often unveil the kingdom to bad actors, a December CSO Magazine piece referenced startling data: Verizon’s Enterprise Solutions division compiled its 2017 Data Breach Investigations Report and determined that 90% of the breaches it observed were phishing-related. While 7% of users fell for phishing attempts, 15% of those who were phished could be duped again, in the same year.
In protecting the mobile front, phishing remains completely adversarial. The CSO Magazine piece referenced an IBM study where users are three times more likely to be phished on mobile devices than desktops. That’s because the smartphone is typically where users discover the information first.
See Related: Evaluating Risk Leads To Proactive Security Practices
Data Loss Prevention (DLP)
Data is the gold standard for bad actors. In fact, the hordes of information and data sets – personally identifiable information (PII) and protected health information (PHI) – may be two critical bits now accessed via mobile devices.
Depending on the enterprise’s storage habits, sensitive information could be dropped into public cloud accounts – making it susceptible to breach and theft. For highly regulated industries, this is perhaps the most important function of the security team: ensuring the safety and well-being of this prized possession, the data.
With the rise of cloud computing and cloud services to store massive data files, it equates to more stringent security protocols set forth to play ‘gatekeeper.’
Nevertheless, the issue fans out to identity and access management (IAM) principles, meaning that the wrong employee could be given privileged access to the wrong accounts; any number of scenarios inside the enterprise could mean that data is exposed. Once the exposure hits – the enterprise’s function and reputation could be on the line.
DLP tools should be employed to button up security measures – and administrative/privileged access should be intensely monitored. In fact, access should only be given to those employees who desperately need to view the information.
Lax protocols could mean a mega-breach. That’s a formula security pros saw in 2017 – and it will likely continue.
Miscellaneous
This last category is a rapid-fire look at what other mobile security elements should be wrangled into the conversation.
Despite advances in mobile security (built-in or ‘contained’ in a secure app), the phones and tablets, etc., are only secure if the Wi-Fi network you’re connecting to is equally clean. More and more staffers are resorting to Wi-Fi usage, instead of draining cellular data – meaning they could be linking to insecure channels.
This means the users could be hastening a man-in-the-middle attack, which can be avoided with the usage of a well-known and functional virtual private network (VPN).
See Related: Cyber Security In The IoT Era: What All Organizations Need To Know
IoT devices in the enterprise are also becoming the topic of concern. In fact, in a recent article, MediaPost relayed Cisco survey findings that suggested 53% of consumers believe that IoT makes their lives easier, but just 9% truly trust that their IoT data – collected and shared – is secure.
The survey of 3,000 consumers also speaks to the enterprise format, because when consumers are unsure of the IoT capabilities or security measures, that typically translates to uneven device usage (users, then in the workplace, are unsure of what security patches should be in place, or what precautions should be taken, etc.).
To conclude, a regular, disciplined approach to security could remedy many of these challenges. Enterprise Strategy Group (ESG) Senior Analyst Doug Cahill told the Cyber Security Hub for an upcoming report that a “regular cadence” of training sessions, red team exercises, pen testing, etc., could flush out a number of vulnerabilities or security gaps. At the very least, that should be a priority for the security team.
To learn more about mobile security’s rapidly expanding front, read the Cyber Security Hub’s upcoming Market Report, published Jan. 15, 2018!