According to a recent study by a leading cybersecurity company’s research division, more than 16 million people reported malware threats in 2017. By the second quarter of 2018 they detected close to 2.5 million new mobile malware. Mobile security threats not only target smartphones, but also other portable digital devices including laptops, wearables, and PDAs (personal digital assistants) that can connect to public networks.
That brings us to another real threat — that of corporate data breach. In 2018, corporate data breaches cost global corporations a total of $3.86 million. The cost of mobile data security breaches is increasing each year. However, it forms only the tip of the iceberg. Here’s a guide for tech leaders to understand these threats, and make sure they empower their organizations to keep mobile data secure in 2019.
Data leakage because of end-user mistakes
This year will see new challenges for all mobile users. Leading companies face around a 28 percent chance of experiencing a data breach in 2019 and 2020. To toss out a notable fact, data leakage is often a result of the user’s indiscretion as opposed to malware attacks. The user is responsible for giving certain apps, from untrusted sources, access to their personal information as well as the corporate data on their devices. One potential solution is to install mobile threat defense solutions that can vet mobile apps quickly and seamlessly for all mobile devices. However, that won’t prevent data loss from company databases in the events of user error.
A simple data transfer from a secure database to a public cloud or sending emails containing company data to the wrong recipient can cause leakage of important data. The only way to protect data from these types of leakages is to leverage data loss prevention (DLP) tools.
Public WiFi and ‘man-in-the-middle’ attacks
We are all guilty of using public WiFi networks at the airport and cafés. We usually deem the network at our beloved Starbucks and public places to be safe, but that is rarely the case. According to a recent study, corporate mobile phones hook up to WiFi three times as much as they use mobile data. Research also shows that of all the mobile phones the experts studied, at least 25 percent connected to open and potentially unprotected networks, while 4 percent of them actually experienced man-in-the-middle attacks. “Man-in-the-middle” is a form of manual and deliberate attack when a person intercepts the communication between two or more parties. It can make your email, messenger, and even your SMS conversations wide open for attackers to leverage.
According to security experts, people rarely fortify their privacy before connecting to the web from public WiFi. Unless you have a trusted VPN service, it is unwise to use a public WiFi to send out official emails or corporate data. Cybercriminals can intercept sensitive information including your customers’ bank details and credit or debit card details or social security number with ease. Even an action as simple as accessing a news website might not be safe when you are using public WiFi. Some websites do not have a SSL certificate, or they use encryption only on the sign-in page. When you use a public WiFi that does not require a WPA or WPA2 password, hackers on the same network can see whatever you see and send. Downloadable hacking tools leave your log in credentials and other personal information unprotected, thanks to the lack of encryption.
Social engineering phishing attacks
An astonishing 91 percent of all cybercrimes begin with a seemingly benign email that every software security firm refers to as “malware-less attacks.” Social engineering was once restricted to desktop users only, but the evolving technology has extended the threat to smartphone users as well. While it is a school-book technique that a lot of people deem ineffective, it works well for cybercriminals.
The senders of these emails impersonate genuine contacts of the recipient to gain access to their bank details and other sensitive personal data. In 2017, phishing attacks grew staggeringly by 65 percent. Research shows that mobile users are more vulnerable to phishing attacks, since most email clients on mobile devices only show the sender’s name and not their entire email address. Impersonation can include sending emails from an address that is slightly different from that of the friend, family member or acquaintance of the recipient.
Mobile users are about three-times more likely to respond to a phishing email than desktop users. Using the same device to access multiple email addresses increases the chances of a person mistaking a spoof email for a genuine one. As the lines between personal and professional computing keep blurring, the instances of social engineering keep increasing. Unless a person checks the sender’s credentials carefully, it is almost impossible for him or her to prevent phishing attacks.
Cryptomining contributed to 33 percent of all mobile security threats in 2018, and cryptojacking is a new member on the long list of security threats to mobile devices. It involves a person using a mobile device without the owner’s knowledge to mine for cryptocurrency. It is a technique of using someone’s device, without permission or authority, for someone else’s profits. The phones that experience cryptojacking attacks usually experience low battery lives and overheating problems. Cryptojacking on desktops began in early 2017, but it moved to mobile devices by 2018. Between October and November 2017, mobile-security attacks made new records when they surged by 287 percent.
These attacks cooled down significantly after the Apple App Store and Google Play Store banned all suspected applications by the middle of 2018. However, some attacks still occur through mobile websites and third-party, unofficial applications.
Outdated mobile devices and software
It is safe to say that in a world dominated by the Internet of Things (IoT), you need to keep all your PDAs in top shape. That includes regular firmware and software updates. The IoT ecosystem connects mobile phones, tablets, smart TVs, smart speakers, laptops, and desktops. It creates the perfect opportunity for hackers to take a sneak peek at your mélange of personal data. It is especially true in the case of all Android devices. They are always a little tardy on their updates. Sometimes the OS updates come months before the final security patches, leaving a gaping hole for the intruders to take a look at the user’s personal and sensitive data. With the surge in number of work-related IoT devices, the cost of data breach is expected to catapult in 2019.
A recent sponsored research showed that 82 percent of the participating IT professionals were concerned about imminent data leakage incidents due to the unsecured IoT devices at their workplace. At this point, it depends on the company or corporation to build robust security policies about IoT devices in workplace and mobile data transfer to keep their data safe.
Physical mobile security breaches
These are often undermined by most security firms and mobile users, but physical device breaches are real threats in the case someone misplaces their smartphones or PDAs. Almost 50 percent mobile device users do not use PIN or biometric security to secure their personal or work data. Many mobile users also share passwords and PINs via messaging systems and emails. That makes them especially vulnerable to physical breaches in the event of theft or misplacement.
Basics of mobile security
At the end of the day, using the latest smartphone or laptop models is not enough to protect data. You need to take responsibility for the safety of your business users’ information and the security of their devices. If you don’t want to invest in a VPN service, don’t login to your bank account, financial website, online business, email accounts, and so on when using a public WiFi or open network. It is easy to make assumptions about the safety of mobile devices, but it is easier for hackers to get a hold of mobile data in this era of evolving technology.
Featured image: Pixabay