The percentage of companies admitting to suffering a mobile-related compromise has grown (39%, when compared to last years’ 33%) despite a higher percentage of organizations deciding not to sacrifice the security of mobile and IoT devices to meet business targets, Verizon has revealed in its third annual Mobile Security Index report, which is based on a survey of 876 professionals responsible for the buying, managing and security of mobile and IoT devices, as well as input from security and management companies such as Lookout, VMWare and Wandera.
The report also shows that attackers hit businesses big and small, and operating in diverse industries, and that those that had sacrificed mobile security in the past year were 2x as likely to suffer a compromise.
66% of those that suffered a mobile-related compromise said that the impact was major, and 55 percent of those companies said that they suffered lasting repercussions.
“Among those in our survey that had experienced a compromise, downtime was even more common as a consequence than loss of data. Financial services companies were particularly concerned about this – 95% said that their customers expect a reliable service and that even a few minutes of unplanned downtime could have an adverse impact on the company’s reputation,” Verizon pointed out.
Phishing continues to be the most common attack type leveraged against all users and it’s getting ever more sophisticated and targeted.
Mobile users are at a disadvantage because red flags are more difficult to spot in emails rendered on mobile devices, but also because phishers are taking advantage of other communication mediums – such as messaging, gaming, social media apps – for which many organizations don’t have filtering in place.
When attendees of a mobile security event were sent a phishing email that purported to be from the hotel they were staying in, offering a free drink at the bar, a whooping 70% opened it and clicked on the link, according to VMware. Similarly, in a test carried out by a Lookout customer, 54% of executives tapped on a malicious link included in an SMS that looked like it was from a hotel they were due to check into.
Hackers are coming up with new and effective pretextes to get targets to click on malicious links, and are coming up with new ways to disguise them:
They are also finding new ways to hide malicious links and text from spam and phishing filters used by email/SaaS providers (one of the most recent is using customized fonts and a simple substitution cipher).
Downloading and installing apps that ask for permission to access all kinds of (potentially sensitive) data represents a risk but malware posing legitimate apps presents a more immediate danger.
“Of organizations that were compromised, 21% said that a rogue or unapproved application had contributed to the incident,” Verizon noted.
Other risks come from insecurely coded apps by reputable companies, mobile cryptojacking apps and the general user inconsistency when it comes to regularly updating their many apps.
For example: six months after WhatsApp announced that users had been subject to a spate of attacks where hackers exploited a buffer overflow vulnerability to run malicious code on victims’ devices (without requiring user interaction), more than 1 in 15 users hadn’t updated and remained susceptible to attack.
Then there are the threats involving the devices: device loss and theft, SIM swapping, juice jacking, unsecured devices open to compromise by physically present attackers (e.g., office colleagues, abusive partners, etc.).
Finally, the network threats: insecure networks, MitM attacks (through rogue access points), etc. Some companies bad employees from using public Wi-Fi to perform work-related tasks but 55% of those who know that public Wi-Fi is prohibited use it anyway, Verizon found.
49% of organizations are now using IoT devices – to enhance productivity, physical security, products and services, and measure the wellness of people – and most adopters consider them critical or very important to the smooth running of their organization.
Almost half of those that Verizon surveyed that were using IoT had at least one full-scale deployment and 33% said they have over 1,000 IoT devices in use. Nearly a third (31%) of those with IoT deployments admitted to having suffered a compromise involving an IoT device.
While the biggest concern at the moment is IoT devices getting conscripted into a botnet, organizations should also be concerned about data tampering and IoT devices being used as a stepping stone to more sensitive data and wider business systems.
The good news regarding IoT is that new regulations are slowly coming into force to help protect businesses, consumers and citizens from IoT-related attacks, and they are expected to push manufacturers into implementing more security in their products, but also organizations into using these features.
“Even though IoT-specific regulations are yet to come into force in most jurisdictions, we’re already seeing a shift in the mindset of organizations. Seventy-four percent of IoT respondents said they have reassessed the risk associated with IoT devices in light of regulatory changes,” Verizon pointed out.