An enterprise’s biggest problem when it comes to data compromise isn’t just technologies that are vulnerable, it’s how their employees use technology.
Digital transformation, the mobile workforce, and the plethora of mobility programs (BYOD, COPE, etc.) both managed and unmanaged, have created an environment where employees have more choice than ever over the devices and apps they use.
As individuals increasingly rely on mobile devices, the amount of personal and corporate data these devices access has increased exponentially, turning the mobile device into a valuable target. Employees use their corporate credentials to sign into enterprise apps, view sensitive emails and PDFs on the go. Employees are choosing their own apps that are not vetted by IT to access sensitive corporate data across networks not managed by IT. Adopting mobility has made the traditional perimeter obsolete.
Security teams have less visibility into where data is sent or stored, as without the traditional perimeter they do not have the same security and control on mobile as they do on PCs. This is particularly concerning as employees further embrace mobility.
In this new environment of increased mobility, enterprises are exposed to a new spectrum of risk as it relates to corporate data leakage and regulatory compliance. For example, among enterprise mobile devices protected by Lookout, from Q4 FY16 to Q1 FY17, over 30 percent of apps on employee devices accessed location data. In addition, because of mobile devices’ unique consumer-centric user interface, employees are more likely to tap links in socially engineered phishing emails, SMS, or other messaging apps.
Below are three examples of how typical mobile behaviors can lead to corporate data compromise.
Using apps that leak data
A great deal of mobile apps use pre-built open source libraries. and are not coded from scratch. This means they are often a mash-up of different APIs and services. These apps are not inherently malicious, but should still be of high concern to an enterprise. For example, apps that access employee personally identifiable information (PII) may not be classified as malware, but could send PII off the device to an insecure location or may not properly secure the data in transit, presenting a compliance challenge for the enterprise. In fact, Lookout found that 30 percent of all apps access contacts across enterprise iOS devices.
Mobile productivity apps often need access to device components or data to function. A teleconference app, for example, will require access to the microphone. Conversely, some apps aggressively seek access to data that may not be necessary to perform its functionality.
Regardless of intent, it is important for enterprises to understand the data apps are accessing and sending off the device, and how that could lead to a corporate data breach. The six types of app behaviors that Lookout considers potentially harmful are:
- Access to sensitive data
- Data exfiltration
- Use of cloud services
- Data sovereignty violations
- Insecure data handling
Connecting to unsafe Wi-Fi
In order to save money on data, ensure faster web speeds, and to gain access to the Internet while traveling, employees are regularly connecting to both public and private Wi-Fi networks. Whether at the local coffee shop, the streets of a major city, or at the airport, public Wi-Fi is a staple for employees working on the go.
When employees are connecting to Wi-Fi, many are frankly unaware of the threats, and engaging in behaviors that might put corporate data at risk. They accept permissions, download apps, and install configuration profiles with root Certificate Authorities (CAs).
The more frequently employees connect to public Wi-Fi, the greater the risk to enterprise data. Traveling employees may take advantage of public Wi-Fi and connect to a misconfigured router, unknown captive portal, or a network that decrypts traffic for content filtering. Even when employees are careful about picking networks they trust, devices auto-connect to networks they are familiar with, which makes it easy for bad actors to spoof the network and siphon off data.
Man-in-the-Middle attacks happen on the mobile device surprisingly frequently and are quite sophisticated. Of the enterprise devices Lookout protects, 8 in 1000 have encountered a Man-in-the-Middle attack where the bad actor was actively attempting to decrypt the communication.
Getting phished is more likely
Ninety-one percent of cyberattacks start with a phishing email, according to a recent report from PhishMe. Beyond that, Lookout found that 1 in 10 devices in our personal network have visited a phishing URL in the past year.
Mobile devices have a simplified, consumer-centric user interface, employees tend to be more likely to get phished, e.g., hovering over a shortened URL to see the full address won’t work on mobile. And, mobile browsers obscure website URLs both by hiding the address bar while a user is scrolling and limiting the number of characters displayed in the address bar by the width of the screen. In fact, users are three times more likely to enter their credentials on a mobile phishing page compared with desktop users, according to a study by IBM.
On mobile these attacks typically take the form of SMS messages, emails, and messages through popular social and communications apps targeting both personal and corporate accounts. Phishing on mobile is also more effective than on the PCs because traffic typically does not flow through the traditional corporate perimeter that contains phishing defenses. Not to mention, security teams have little visibility or protection against phishing attacks targeting personal accounts since this would be a breach of employee privacy.
Secure mobility starts with visibility
These instinctive ways that employees use their devices shouldn’t be the reason CISOs steer away from enabling mobility. In fact, it’s the inherent simplicity of mobile devices that delivers real productivity gains and employee satisfaction/benefits. Employees can achieve a better work life balance, access work from anywhere, and use tools they individually find particularly helpful.
Security awareness training is a critical tool in making sure employees understand the larger risks they face on mobile. These types of awareness programs can be a cost effective form of mitigating insecure practices, and are often required by regulations including Sarbanes Oxley, ISO 27001, and PCI DSS. However, it’s largely impossible for employees to really know how data is handled by the apps on their device.
Even with training, employees are still at risk because they’re often using their personal mobile devices for work, and these devices are much more likely to be configured in ways that conflict with an organization’s security policy. Mobile is an especially high risk vector because these devices are personally enabled and have a consumer-centric user interface. In addition to training, it’s essential to have a comprehensive mobile security solution that gives visibility into when mistakes happen.