Estimated reading time: 10 minutes

 

How do you keep the cybercriminals out of your organization? This has never been a simple question to answer.

But it used to be simpler.

In the first phase of digital working, IT security professionals would program technical defences into company PCs and servers. They would train their staff to follow strict security procedures.

All of this was feasible because security specialists had a degree of control. Employees typically did their work tasks on approved corporate software. They also used company-issued laptops, which stayed in the office most of the time.

Well, we know what happened next.

 

In the 2010s workers swapped their company-issued laptops for privately-owned mobile devices. They hooked these devices up to cloud-based productivity apps, which they downloaded from public app stores. Later, they even stopped coming into the office, preferring instead to work (and connect) from home networks.

All of this increased the attack surface available to cyber-attackers, and made the task of security teams vastly more difficult.

So how much more difficult is it? And what can be done to keep organizations safe?

In its 2022 Mobile Security Index Report, Verizon tries to reveal the answers. This fifth annual edition was conceived to help chief information security officers (CISOs) assess their organization’s mobile security environment and calibrate their defences. 

It contains the results of a survey of more than 600 people responsible for security strategy, policy and management. The report also shares the insights provided by leaders in mobile device security including Check Point, IBM, Proofpoint and Thales. 

Let’s review its main conclusions…

 

Cybercrime has never been worse

The report starts with a depressing stat. In 2021, America experienced an unprecedented increase in cyberattacks. It quotes the FBI 2021 Internet Crime Report, which reported 847,376 complaints—a 7 percent increase from 2020. The estimated potential losses were more than $6.9 billion.

And the mobile factor? In 2022 45 percent of companies surveyed said they had suffered a compromise involving a mobile device in
the past 12 months.

And working from home is fuelling the rise in attacks

The Verizon report quotes a survey by Proofpoint that says 68 percent of people have started working from home either full or part time. This might suit people’s work-life balance, but it is not good news for enterprise security. 

The report found 79 percent of respondents agreed that changes to working practices had adversely affected their organization’s cybersecurity.

The ‘bring your own device’ factor is the big challenge. Securing BYOD devices is much more difficult than securing company-owned devices with a mobile device management (MDM) solution in place. But in the work from home era, what choice do employers have?

The survey disclosed that 70 percent of companies currently have a BYOD policy. But, tellingly, half said that they’d adopted it during
lockdown. What’s more, 41 percent allow employees to use their own phones/tablets to access corporate systems and data (BYOD). 60 percent allow employees to access email on their own devices. 

Mobile used to be quite secure. It’s not now.

It’s worth remembering that mobile devices were once regarded as pretty resistant to attacks. A decade ago, it was BlackBerry that ruled the corporate mobile market. Its BlackBerry Enterprise Server backend put security first. But over time Apple and Google emerged to dominate the consumer space. Inevitably, corporate users followed and this security-first approach was lost.

 

So corporates are spending more on cyber-security

77 percent of respondents said that their security spend increased over the year. More than a fifth said that it had increased significantly. And most of this spend was on existing user activities rather than on ‘new things’.

Criminals are targeting mobile apps

The idea that “there’s an app for that” has made people’s lives easier and more fun. But the app also offers an entry point for bad actors into millions of phones. In the report, Verizon confirmed that 48 percent of those who suffered a mobile-related security breach said that app threats were a contributing factor. 

The threats are well known. People are tricked into downloading apps loaded with malware. In 2021, the percentage of organizations
that experienced the installation of malware on a remote device doubled from 3 percent to 6 percent.

Even non-malicious apps can be a threat, when they ask for permissions they don’t need. Criminals frequently publish ‘harmless’ free apps such as torches, which request access to, for example, the camera or microphone. They then use this to gather sensitive data. 

 

Attackers know that people, not devices, are the security weak point

While it’s always good policy to put technical protection in place, it’s arguably even more important to train staff. Regrettably, 44 percent 
of organisations don’t give employees security training on a regular basis.

Why is this a problem? Because the vast majority of successful attacks arise from human behaviour. According to the report, 82 percent of breaches in the year happened because of stolen credentials, phishing, misuse or simply human error. 

Indeed, it seems that phishing is now ubiquitous. In 2021, five out of six organizations confirmed that they had experienced an email-based phishing attack that tricked users into risky action, such as clicking a bad link, downloading malware, providing credentials or
executing a wire transfer.

As the report says: “The sad fact is that many attackers don’t hack into systems. They log in.”

The ‘great resignation’ is a security nightmare

Much has been written about the mass exodus prompted by lockdown and the reflective effect on employees. It prompts the question: what happens to all that company data when a person leaves a place of work?

The answer is quite alarming. Verizon quotes research by Lookout that says around one in six departing employees uses a personal cloud storage app to take company information with them. 

It also refers to a report which revealed that a small number of employees appear to harvest huge amounts of employer data before they leave. Of the users who uploaded files to their personal devices, half uploaded more than 5x the normal volume, 8 percent uploaded 100x more and one percent uploaded 1,000x more.

Anyone can use a public network…including hackers

The availability of cloud services has certainly made it easier for people to work remotely by mobile. But to access the cloud, they have to connect by home or public networks. This offers a new vulnerability for attackers to exploit. They can intercept traffic through man-in-the-
middle (MitM) attacks or lure employees into using rogue wi-fi
hotspots or access points. 

 

In the report, 52 percent of those that had suffered a mobile-related
security breach said that network threats were a contributing factor. Yet less than a third of organizations (32 percent) ban the use of public Wi-Fi, and only about half (52 percent) do anything to enforce that policy.

Zero trust is gaining ground as a security defines

Companies are learning that good cyber security can be an approach as well as a series of technical practices. This explains why so many enterprises are now investigating the Zero Trust network access idea. 

ZTNA assumes every device, app or system can be compromised. So it grants users access only to the apps they need to perform their jobs. It also isolates device, app or system to certain parts of the network, which remain inaccessible via the internet.

82 percent said of respondent in the report said that they had adopted or were actively considering adopting a Zero Trust approach to security.

Here is a best practice guide for making ‘work from home’ secure

If work from home and BYOD is the new norm then enterprises are going to have to deal with it. Needless to say, there are simple measures they can take to tighten up their defences. Here’s the Verizon report’s simple guide to BYOD security.