Attacks On Mobile Devices Are On The Rise
“Every year, we’ve seen the number of companies suffering mobile security compromises rise, and this year was no exception. Despite everything that’s at stake, many businesses still sacrificed security—and those that did were more likely to have been hit.” – Verizon Mobile Security Index 2020 Report.
Here’s a quick summary of Verizon’s Mobile Security Index 2020 Report.
Methodology: Verizon worked with the following leaders in mobile device security to produce this report: Asavie, IBM, Lookout, MobileIron, NetMotion, Netskope, Symantic, VMware, Wandera, the FBI, and the United States Secret Service. Verizon also worked with 876 independent professionals who are responsible for the buying and managing of mobile and Internet of Things (IoT) devices.
The problem continues to get bigger.
When asked, ‘Has your organization experienced a security compromise involving mobile/IoT devices during the past year?’, 39% said they were compromised, compared to 33% in 2019 and 27% in 2018.
Companies are still cutting corners despite being fully aware of the risks.
When asked, ‘Has your organization ever sacrificed the security of mobile devices (including IoT devices) to “get the job done”(e.g., meet a deadline or productivity targets)?’, 43% that they had sacrificed security, compared to 48% in 2019 and 32% in 2018.
Speed and convenience is more important than security.
When asked, ‘Which of the following drove you to sacrifice mobile security?’, 62% of respondents said expediency, 52% said convenience, 46% probability targets, 27% said lack of budget, and 26% said lack of expertise.
Everybody is suffering.
When asked, ‘If your organization suffered a security compromise, how serious was the impact? If the compromise was major, did this involve lasting repercussions?’, 55% of companies said that the impact was major, 24% said moderate, and 10% said minor. 55% of those companies said that the repercussions were lasting.
29% said that they had suffered a regulatory penalty as a result of a mobile-related security compromise.
It’s not just your data at risk.
Consequences of mobile-related compromise includes downtime, loss of data, compromise of other devices, damage to reputation, regulatory penalties, and loss of business.
According to the report, “Whether they’re deliberately breaking policy or inadvertently opening up vulnerabilities, users are a target. Social engineering remains one of the most powerful tools in the cybercriminal arsenal. And attackers are finding increasingly innovative ways to exploit and manipulate users.”
32% of confirmed data breaches involved phishing. Criminals are becoming smarter, constantly innovating and devising new techniques to push past your spam filters, which is why the incidence of phishing attacks remains so high. Phishing emails are even tougher to spot on your mobile device.
According to the Secret Service, “The average loss from a bank robbery is about $3,000. The average loss from a successful business email compromise attack is nearly $130,000.”
Hackers are getting clever when it comes to hiding phishing links.
- They use a different top-level domain. For example, company.net instead of company.com.
- They use homoglyph/punycode. For example, c0mpany.net or cmpany.com.
- They use what looks like an official domain. For example, company-support.com.
- They add details to confuse you. For example, company.com.supportservices/new-password
Learn how to quickly spot a phishing email here.
Apps are being granted excess permissions.
In the rush to download an app, how often do you click ‘OK’ without reading through the full terms and conditions? Often times, apps can gain access to your pictures, microphone, contacts, etc without you realizing it. These unnecessary permissions can allow hackers to steal your private information including passwords and contact lists.
App Permissions Granted:
- Photo Library: 74% of iOS and 41% of Android
- Camera: 65% of iOS and 27% of Android
- Microphone: 32% of iOS and 15% of Android
- Location (always): 31% of iOS and 36% of Android
- Contacts: 28% of iOS and 23% of Android
- Bluetooth: 27% of iOS and 20% of Android
“Well-known problems like malware and ransomware remain major threats, but emerging ones like cryptojacking can also put your organization at risk. Even apps downloaded from official stores can be compromised or introduce vulnerabilities due to poor coding practices,” according to the report.
Malware is a favorite tool for hackers. According to the report, ‘4.5% of Android devices had known malware. That might not sound like much, but it means that if your organization has just 15 devices, then there’s a 50% chance that at least on of them is infected. And if you have 100 devices, that chance goes up to 99%. And one device can be enough to compromise your entire organization.’
Hiding malware within apps is a popular way that hackers trick people into downloading malware. ‘Of organizations that were compromised, 21% said that a rogue or unapproved application had contributed to the incident,’ according to the report.
Hackers use sophisticated techniques to sneak malware-infected apps through official stores without detection. Some apps will even push malware to the app via updates.
85% of companies said they were worried about ransomware, while 76% of those felt unprepared. Ransomware remains one of the biggest mobile device security threats, especially now that it has evolved past just locking down files on your device. New variants of ransomware can lock files you have stored in online services such as Google Drive or even publish your private information online.
Other threats for your mobile device include insecure coding, cryptojacking, and patching apps. You can read more about them in the report on pages 23-24.
‘Juice Jacking’ is when criminals load malware onto public charging stations and/ or cables, which will infect the phones and other electronic devices of unsuspecting users. These charging stations can be in hotels, airports, or even malls. Once connected, the malware will install itself to export data and passwords or even lock the device.
63% of personal travelers and 79% of business travelers have connected their devices to a public USB port or charging station.
The Dangers of Wi-Fi
Unsecured public Wifi can really come in handy, especially when you need to save your data. However, it can come with some serious security risks. According to the report, “20% of organizations that suffered a mobile compromise said that a rogue/insecure Wi-Fi hotspot was involved. According to Wandera, employees connect to an average of 24 Wi-Fi hotspots per week. It also found that 7% of devices encounter a hotspot that presents a low-to-medium severity risk, and 2% encounter one rated as a high-risk.”
“Don’t allow your phone, computer, tablet, or other devices to auto-connect to a free wireless network while you are away from home. This is an open invitation for bad actors to access your device. They then can load malware, steal your passwords and PINs, or even take remote control of your contacts and camera.” – FBI
Insights by Sector
Financial Services: 47% suffered a mobile compromise
Healthcare: 38% suffered a mobile compromise
Information & Media: 50% suffered a mobile compromise
Professional Services: 27% suffered a mobile compromise
Manufacturing, Construction, and Transportation: 41% suffered a mobile compromise
Public Sector & Education: 39% suffered a mobile compromise
Retail: 30% suffered a mobile compromise
Small and Medium-Sized Businessess: 28% suffered a mobile compromise
You can read about the Insights by Sector in more detail on pages 35-37 of the report.
Improving Mobile Security
“It’s important to start with getting the basics right – creating an acceptable use policy, using strong passwords, encrypting devices, training employees, and securing cloud-based systems. But security isn’t just about keeping attackers out and telling employees what they can’t do. It’s about empowering your people to do more, to innovate and to do their best work,” said Verizon.
Verizon offers an assessment tool that can provide you with some powerful insight on how your mobile security stacks up to other organizations. You can access it here.
Greatly improve your mobile security defense by regularly training and educating your employees.
Do you have any questions or concerns regarding your company’s mobile security? Don’t hesitate to reach out to us via info@augustaITguys.com or 706.426.6313.
4332 Wheeler Road #105, Augusta GA 30907