HIT Think

Why organizations must make mobile security a priority in 2019

It’s not a matter of if; it’s a matter of when. Ominous? Absolutely. But steeped in hard facts.

To be fair, as a security researcher, I deal with facts all the time. It’s from these facts that I can determine what can and should be done in a particular situation.

Here are the facts:

  • According to the GSM Association, a trade body that represents the interests of mobile network operators worldwide, there are more than five billion mobile devices in the world. Approximately 3.7 billion of them have internet accessibility.
  • Per the RSA Fraud & Risk Intelligence Service, more than 70 percent of online fraud is now mobile.
  • Verizon’s Mobile Security Index 2019 states 33 percent of companies admitted to having suffered a compromise involving a mobile device and the majority of those affected said that the impact was major. In addition, as mobile devices increasingly have access to sensitive business and customer data, 67 percent of organizations said they are less confident of their security than their other IT assets.

The reality is, while there may be a debate as to whether the proliferation of internet accessible mobile devices will continue to increase, the amount of data and information - both personal and professional - found on mobile devices is staggering. And therein lies the proverbial carrot for hackers.

Unfortunately, most users of mobile devices are completely unaware their devices are being attacked because there are very few, if any, telltale signs their device has been compromised. Many attacks start with the most used feature on a mobile device: the WiFi connections.

Mobile-developer.png

The challenge is, WiFi relies on mostly insecure protocols and standards, making them easy to impersonate or intercept, mislead and redirect traffic. This can be done independently on how new or updated your device is; it’s only related to how the underlying WiFi infrastructure works.

There are times when you don’t even need to perform any action to have an attack on you perpetrated. Do you remember that WiFi network you connected to while having lunch the other day? To make your life easier, your device will connect to it automatically if it recognizes the network. Even when it’s not the same network, it just has to claim to be it.

From over in the corner, the hacker effortlessly hijacks your session, captures your credentials, delivers a targeted exploit and assumes full control of every function on your smartphone—including those that login to your company’s Wi-Fi—and send emails in your name.

This year, Zimperium attended Mobile World Conference (MWC) in Barcelona and RSA in San Francisco—the attendance for the two shows combined was more than 150,000 executives, salespeople, media and others.

At MWC, we detected more than 7,000 threats in less than four days. Furthermore, 25 percent of those threats were detected in hotels, and of those, 70 percent were at 5 Star Hotels. At the RSA show for security professionals, we detected more than 17,000 threats in less than four days.

Attacking your WiFi is just the beginning. You’re commuting to work when an email that appears to be from your boss arrives with a PDF attached. It’s marked as “urgent.” You open the PDF, unwittingly letting malicious code slip onto your smartphone. After you find out that the email was a fake, it’s too late. Your smartphone has been compromised, audio and video recordings have been made, and access to your cloud applications and other services has been compromised.

Or you download a mobile game, which your antivirus clears from all suspicions, as it doesn’t contain any malicious code. However, it contains a trigger to download malicious code, and after the game has been installed, inside its own sandbox and no longer seen by your top-of-the-line antivirus, this is exactly what it does. Malicious code is downloaded, activating an elevation of privileges (EoP) command to give the hacker full control over your smartphone.

These examples are quickly becoming the rule, not the exception. There are organizations that only address security on laptops and computers, and in some instances, amounting to only 40 percent of an organization’s endpoints. These companies have likely already been breached and are unaware of it. It’s critical to treat mobile endpoints like traditional endpoints and deploy mobile security technology to give you visibility and protection.

The good news is that many organizations are realizing mobile devices are an unprotected endpoint with access to or containing all of the information of a traditional endpoint. According to Gartner’s “Market Guide for Mobile Threat Defense” Report, as mobile threat defense (MTD) solutions mature, security departments are becoming the main buying center, rather than mobility or IT operations. This means companies are realizing that the need to protect their assets is very real and is evolving.

Leading organizations understand while there are some overlaps in what you protect—email, calendars and the like—the way you solve the traditional endpoint security problem is completely different than how you solve the mobile security problem.

For reprint and licensing requests for this article, click here.