Employees’ privacy, personal identities and privileged access credentials are at risk because enterprises are sacrificing security to get more work done. While 85% of enterprises have a dedicated budget for mobile security, just over half, 52%, have sacrificed the security of mobile and IoT devices to “get the job done” and meet tight deadlines or achieve productivity targets. Verizon’s Mobile Security Index (MSI) for 2022 discovered a 22% increase in cyberattacks involving mobile and IoT devices in the last year. Verizon interviewed 632 security and risk professionals based in Australia, the U.K. and the U.S.
Mobile attacks are becoming more severe
Mobile attack severity levels are at levels that Verizon’s research team claims not to have seen since they began the security index years ago. Enterprises that report mobile security attacks have a long-lasting impact jumped from 28% last year to 42% this year, a 33% jump in twelve months. While nearly a quarter of enterprises experienced a mobile security compromise last year, the majority, 74%, say the impact was significant.
Sacrificing security for productivity
“During the last two years specifically, many organizations sacrificed security controls to support productivity and ensure business continuity,” Shridhar Mittal, CEO, of Zimperium, in the company’s 2022 Global Mobile Threat Report. As a result, Verizon’s security team of experts said it “wasn’t surprised to hear that over half of respondents said they’d sacrificed mobile device security.”
While 66% of 632 security professionals Verizon interviewed globally said they’d come under pressure to sacrifice mobile device security “to get the job done,” 79% of them succumbed to the pressure. That equates to over half, or 52%, of all security professionals choosing to sacrifice security for speed.
Trading off security for speed and productivity underscores why cybersecurity budgets are a business decision that affects every area of a company’s operations — and employees’ identities.
“For businesses — regardless of industry, size, or location on a map — downtime is money lost. Compromised data is trust lost, and those moments are tough to rebound from, although not impossible,” said Sampath Sowmyanarayan, CEO at Verizon Business. “As a result, companies need to dedicate time and budget to their security architecture, especially on off-premise devices. Otherwise, they are leaving themselves vulnerable to cyberthreat actors.”
Common mobile device attack patterns
Hacking an employee’s mobile device that’s also used for accessing corporate networks is a goldmine for cyberattackers. Additionally, identity theft, stealing credit card and banking data, and gaining privileged access credentials to corporate networks are used by cyberattackers to create fraudulent credit card, home loan and small business loan applications.
The Small Business Administration’s (SBA) pandemic loans are one significant place where cyberattackers have stolen identity data from phones. The U.S. Secret Service has been able to retrieve $286 million in funds obtained by cyberattackers using stolen identities. Since this began, the SBA has provided guidance on what steps people can take to protect themselves from scams and fraud.
Cyberattackers are after employees’ private data, identities and privileged access credentials
Mobile cyberattacks are lethal because they strike at the intersection of a person’s identity, privacy and professional life. Therefore, continuous employee cybersecurity training is crucial today. In addition, cyberattackers use many strategies to access the phone’s most valuable data, such as the following.
Supply chain attacks on Android and iOS apps
Proofpoint’s researchers found a 500% jump in malware delivery attempts in Europe earlier this year. Cyberattackers and gangs collaborate to get mobile malware inserted into apps, so thousands of users download them daily. In addition, tens of thousands of employees working for enterprises may have malware on their phones that could compromise an enterprise network.
Of the two platforms, Android is far more popular for this attack strategy because the platform supports many app stores and it’s open enough to allow side-loading apps from any site on the Web. Unfortunately, that convenience turns into a fast lane for cyberattacks, which can compromise an Android phone in just a few steps. For enterprises and their senior management teams, that’s something to monitor and evaluate phones for.
Conversely, Apple doesn’t allow side-loading apps and has tighter quality controls. However, iPhone still gets hacked and, for enterprises, cyberattackers can get on the network and start moving laterally in as little as one hour and 24 minutes. Potential data compromises on Amazon’s Ring Android app, Slack’s Android app, Klarna and others are a case in point.
SMS texts that contain links to install malware
This is another common strategy cyberattackers use to get malware onto mobile devices. It’s been used for years to target the senior management teams of large corporations, hoping to gain privileged credentials to corporate networks. Cyberattackers mine the dark web for senior management members’ cell phone numbers and regularly rely on this technique to implant malware on their phones. Therefore, the Federal Trade Commission’s advice on recognizing and reporting spam text messages is worth reading and sharing across senior management teams, who most likely have already seen this attack strategy in their IM apps.
Phishing continues to be a growing threat vector
Verizon’s Data Breach Investigations Report (DBIR) has covered phishing for 15 years in its research, with Verizon’s latest MSI finding that, “83% of enterprises have experienced a successful email-based phishing attack in which a user was tricked into risky activities, such as clicking a bad link, downloading malware, providing credentials or executing a wire transfer. That’s a huge increase from 2020, when the number was just 46%,” according to Verizon’s 2022 report.
Additionally, Zimperium’s 2022 Global Mobile Threat Report found that 75% of phishing sites targeted mobile devices in the last year.
Mobile security needs to redefine itself with zero trust
Treating every identity as a new security perimeter is essential. Gartner’s 2022 Market Guide for Zero Trust Network Access provides insights into security teams’ need to design a zero-trust framework. Company leaders should consider how best to get started with a zero-trust approach to securing their mobile devices, starting with the following recommendations.
Zero trust and microsegmentation will define long-term mobile security’s effectiveness
How well mobile devices are included in microsegmentation plans is partly attributable to how well an enterprise understands application mapping. Using the latest series of tools to understand communication paths is essential. Microsegmentation is one of the most challenging aspects of implementing zero trust. To get it right, start small and take an iterative approach.
Enable multifactor authentication (MFA) across every corporate and BYOD device
Leading unified endpoint management (UEM) platforms, including those from VMware and Ivanti, have MFA designed into the core code of their architectures. As MFA is one of the main components of zero trust, it’s often a quick win for CISOs who have often battled for a budget. In defining an MFA-implementation plan, be sure to add in a what-you-are (biometric), what-you-do (behavioral biometric), or what-you-have (token) factor to what-you-know (password or PIN code) authentication routines for mobile devices.
Define secure OS and hardware requirements for approved BYOD devices
Enterprises get into problems by allowing too many variations of devices and OS levels across their fleet of third-party devices on corporate networks. Standardizing on a standard OS is best, especially on tablets, where many enterprises are finding that Windows 10 makes managing fleets of devices more efficient on UEM platforms.
Down-rev and legacy mobile devices with implicit trust routines designed into the firmware are a security liability. They’re targeted with Meltdown and Spectre attacks. Most legacy mobile devices lack the patches to keep them current, so having an entire fleet on the latest hardware and OS platforms is critical to security.
Manage BYOD and corporate-owned mobility devices with UEM
Adopting a UEM platform is essential for ensuring every mobile device is secured at parity with all others. Advanced UEM platforms can also provide automated configuration management and ensure compliance with corporate standards to reduce the risk of a breach. CISOs are pressuring UEM platform providers to consolidate their platforms and provide more value at lower costs.
Gartner’s latest Magic Quadrant for Unified Endpoint Management Tools reflects CISOs’ impact on the product strategies at IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware, Blackberry, Citrix and others. Gartner’s market analysis shows that endpoint resilience is another critical buying criterion.
Leaders in endpoint security include Absolute Software’s Resilience platform, Cisco AI Endpoint Analytics, CrowdStrike Falcon, CyCognito, Delinea, FireEye Endpoint Security, Venafi, ZScaler and others.
Automate patch management across all corporate and BYOD devices
Most security professionals see patch management as time-consuming and overly complex, and often procrastinate at getting it done. In addition, 53% said that organizing and prioritizing critical vulnerabilities takes up most of their time. Earlier this year at RSA 2022, Ivanti launched an AI-based patch intelligence system. Neurons Patch for Microsoft Endpoint Configuration Monitor (MEM) relies on a series of artificial intelligence (AI)-based bots to seek out, identify and update all patches across endpoints that need to be updated. Other vendors providing AI-based endpoint protection include Broadcom, CrowdStrike, SentinelOne, McAfee, Sophos, Trend Micro, VMware Carbon Black, Cybereason and others.
One mobile device being compromised is all it takes
As is the case with microsegmentation, which is a core component of zero trust, CISOs and their teams need to take the perspective that a cyberattack is inevitable. While Verizon found that 82% of security professionals say their organizations are adopting or actively considering a zero-trust approach to security, the majority sacrificed security for speed to get more done.
With mobile attacks becoming more lethal and focused on obtaining privileged access credentials, security leaders must face the sobering fact that all it takes is one mobile device to be compromised to have an infrastructure breach.
By Louis Columbus / Originally published on VentureBeat