With more collaborative ways of working, multiple devices (PCs, smartphones, tablets, etc.) and smart objects (IoT), today’s business environment is complex, and makes it even more difficult to enforce security policies.
Cyber criminals understand this very well, and are now moving away from servers and computers to target mobile devices and the IoT. In its 2017 report, computer manufacturer HP (1) indicates that 64.9% of organizations see an increase in threats against their mobile devices.
Mobile uses within organizations
“My entire life is stored in my smartphone.” Today, employees store personal and professional information on their smartphones, regularly travel abroad and frequently connect to public Wi-Fi networks.
In addition, the BYOD (Bring Your Own Device) trend is becoming a habit as popular as appreciated by employees. The temptation is great to easily transpose the habits of the private sphere while at the office, using personal tools including applications that are not suitable for professional use, and even less for sensitive communications.
This is at the root of the problem with Shadow IT.
Depending on their policies, organizations may also deploy COPE (Corporate Owned, Personally Enabled) devices or CYOD (Choose Your Own Device). These are the kind of deployments that complicate the security approach and accentuate the need to secure mobile devices.
New mobile threats against your organization
Increased risks of intercepting, disclosing and compromising exchanged information, and identity theft, arise from these practices.
- “Physical access” threats and risks. The loss and theft of a smartphone or tablet generate a risk of data (contact lists, emails, attachments, photos) and identity theft, through physical hacking.
According to the latest Symantec report, only 20% of Android OS devices are up to date and would benefit from the latest security developments. 13% of cyber attacks are associated with the loss or theft of a device, and bear remediation costs of around €620,000 according to a Ponemon Institute study (2). #securephone #androidsecurity #ultrasecuresmartphone #securesamsung #hackedphone #encryptedphone #securemessaging
- Network threats. Trips abroad and connections to public Wi-Fi networks create a risk of data interception and theft by remote hacking. 81% of organizations have experienced security problems associated with the use of Wi-Fi in the past 12 months (3).
Attacks via Wi-Fi are in fact the most common network threat. Baptiste Robert, the famous ethical hacker, demonstrated last April that it was possible to access the personal information of users connected to a public Wi-Fi network at a produce market in the heart of Toulouse, France, with only a few clicks. And unfortunately, his abilities as an expert programmer even increase the range of possibilities. €250 is the price of a mobile interception on the Dark Web! Available to anybody… Phishing (by SMS or Whatsapp) is also a distant but widespread attack. #securewifi #dataleaks #securefiletransfers #fightagainstphishing
- Application threats. Increased access to applications (business and consumer) on BYOD and COPE devices reinforces the risk of intrusion into an organization’s information system by a compromised device.
Applications are an entry point to personal and professional data. With short development cycles, direct access to user data, standard security checks by application stores…
Data leaks through mobile apps are the #1 threat to organizations. According to Ponemon Institute (4), 75% of organizations probably fell victim to a cyber attack or data breach in 2017 due to a compromised application.
But 65% of organizations say they would be encouraged to increase application protection measures only after an end user or customer has been negatively affected, and 48% believe that application performance and speed are more important than security! A long way to go… #secureapp #dataleak
Mobile threats: a major impact on your organization
These threats result in data and credential leaks, IP traffic interception (email, instant messages), SMS and voice call recording, distribution of malware/ransomware, or device malfunction.
The purpose of these cyber attacks can be multiple. From disrupting economic activities to spying and/or selling information (trade secrets and intellectual property, disclosure of confidential information, theft of customer data), blackmail and ransoms, cyber crime does not lack malicious motives. Including, of course, damage to reputation, identity theft and associated embezzlement (purchases/fraudulent transfers…).
Today, the consequences are irrevocable. The new GDPR legislation enacted in May 2018 specifies penalties reaching 4% of global turnover.
Punishments to users, customers and citizens could be even more severe. Gemalto revealed that 64% of consumers would not do business again with a company that fell victim to a data breach involving the theft of financial information!
It is a stark warning to companies that have not yet taken the full measure of the consequences. In 2016, the Chamber of Commerce of Occitanie revealed that 60% of SMEs/SMIs affected by cyber attacks were undergoing liquidation proceedings shortly thereafter… #cyberespionnage #wiretapping #androidmalware
How to protect yourself from these mobile threats?
In addition to advocating best practices, which is the first actionable item, along with the 10 best practices to prevent the theft of personal data on phones and tablets, reinforcing employee awareness by integrating mobile security in the overall security policy is also essential.
At the heart of a mobile security policy, protection using the correct equipment is another vital component.
But then, new questions arise. Enterprise Mobility Management, Mobile Device Management, Mobile Application Management, Mobile Threat Protection, Secure Smartphone, Encrypted Messaging…
10 simple rules to know, by cybermalveillance.gouv.fr:
- Lock your devices using access codes
- Apply security updates
- Backup you data
- Use a security solution against viruses
- Install applications only from official stores
- Control application permissions
- Do not leave your device unattended
- Avoid public or unknown Wi-Fi networks
- Do not store secret information without protection
- Encrypt all data
How do you make sense of the existing solutions in an ecosystem where offers and results are unclear and remain an obstacle?
Some answers will be provided in our next article: “How to protect against threats targeting the mobile security of your business? – Act II. ”
(1) HP report: “Cyber Security and Your Business”
(2) Ponemon Institute study: “2015 Annual Study: U.S. Cost of a Data Breach”
(3) iPass Mobile Security study, March 2018
(4) Ponemon Institute study: Global Application Safety, 2018
(5) Estimate by Rusty Carter, Vice President of Product Management at Arxan