Will the next major data breach start on mobile?
Over the past few years, we have seen a spike in major data breaches from noteworthy businesses such as Target, Home Depot, and Sony (to just name a few). While data breaches continue to dominate headlines, the news often focuses on the cost to the business and consumers. What is often missing are the details on how attackers gained access to the organization in the first place.
There are far more data breaches than we hear about because if customer data wasn’t compromised, companies are typically not mandated to share their stories. That being said, one thing is for sure: attackers are becoming more sophisticated and finding new ways to dodge company security to access important data.
One area where businesses should be taking a closer look when considering data security is mobile. Our mobile devices know a lot about our personal lives (where we live, bank, and who our friends/family are) and have direct access to company networks and data, making them an especially appealing target channel for attackers. We see evidence of this today: according to a new survey of security experts conducted by the Ponemon Institute and Lookout, security professionals say a mobile device was likely the root of a data breach in their organization.
Mobile devices are the tip of the spear
Mobile devices have many attractive entry points that are easier to exploit than their PC counterparts. Just consider the nature of the mobile devices: these devices are always “on” and have a consistent set of features which makes them an ideally designed surveillance tool, including microphones, high resolution cameras, embedded GPS and multiple network types – including WiFi, cellular and bluetooth.
The average smartphone also has the capacity to hold gigabytes of data. This data is often highly sensitive and valuable, especially when you consider the prominence of BYOD programs and mobile devices entering the workforce for enterprise and governments alike.
In addition, mobile devices, even when corporate owned, are typically personal. As such, users often have personal email or social channels on their devices and are more willing to connect to links or open attachments that they wouldn’t usually pursue on their corporate PC. Furthermore, mobile phishing attacks can come through a number of channels: classic email, SMS messages, and even apps made to look like well-known brands, but that instead trick people into giving over their information.
What should an organization do to protect itself in a mobile world?
Having the ability to do business on the go is essential to productivity, employee satisfaction and retention. When thinking about mobile security, businesses have traditionally looked to locking down devices instead of enabling productivity. Instead, when addressing mobile security, companies should embrace the consumerization of IT and avoid hampering the user experience.
If an organization is already using a large number of mobile devices, then they’ve probably already figured out that a successful mobile security program delivers a consumer like user experience, embraces the mobile ecosystem (new apps and new ways of working) and enables flexibility in a manner that does not invade on employee privacy.
In addition, it’s essential to build a mobile defense strategy that will keep your network safe:
- Ensure devices are protected from malicious attack and data leakage
- Where possible, maintain device configuration using mobile device management
- Provide connectivity through a segmented network dedicated to mobile devices.
The old, traditional approach to security doesn’t work anymore. A whitelist/blacklist method won’t work in today’s landscape – security needs a technologically layered approach and involvement from top to bottom, with C-level leaders setting a precedent and education for employees. Organizations need to act now, ensuring they have visibility and protection, before they are in the next major breach headline.