Mobile security is at the top of every company's worry list these days ― and for good reason: Nearly all workers now routinely access corporate data from smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate puzzle. The stakes, suffice it to say, are higher than ever: The average cost of a corporate data breach is a whopping $3.86 million, according to a 2018 report by the Ponemon Institute. That's 6.4 percent more than the estimated cost just one year earlier.
While it's easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world ― with your odds of being infected significantly less than your odds of being struck by lightning, according to one estimate . That's thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems.
The more realistic mobile security hazards lie in some easily overlooked areas, all of which are only expected to become more pressing in the coming year:
1. Data leakageIt may sound like a diagnosis from the robot urologist, but data leakage is widely seen as being one of the most worrisome threats to enterprise security as we head into 2019. Remember those almost nonexistent odds of being infected with malware? Well, when it comes to a data breach, companies have a nearly 28 percent chance of experiencing at least one incident in the next two years, based on Ponemon's latest research ― odds of more than one in four, in other words.
What makes the issue especially vexing is that it often isn't nefarious by nature; rather, it's a matter of users inadvertently making ill-advised decisions about which apps are able to see and transfer their information.
"The main challenge is how to implement an app vetting process that does not overwhelm the administrator and does not frustrate the users," says Dionisio Zumerle, research director for mobile security at Gartner. He suggests turning to mobile threat defense (MTD) solutions ― products like Symantec's Endpoint Protection Mobile, CheckPoint's SandBlast Mobile, and Zimperium's zIPS Protection. Such utilities scan apps for "leaky behavior," Zumerle says, and can automate the blocking of problematic processes.
Of course, even that won't always cover leakage that happens as a result of overt user error ― something as simple as transferring company files onto a public cloud storage service, pasting confidential info in the wrong place, or forwarding an email to an unintended recipient. That's a challenge the healthcare industry is currently struggling to overcome: According to specialist insurance provider Beazley, "accidental disclosure" was the top cause of data breaches reported by healthcare organizations in the third quarter of 2018. That category combined with insider leaks accounted for nearly half of all reported breaches during that time span.
For that type of leakage, data loss prevention (DLP) tools may be the most effective form of protection. Such software is designed explicitly to prevent the exposure of sensitive information, including in accidental scenarios.
2. Social engineeringThe tried-and-true tactic of trickery is just as troubling on the mobile front as it is on desktops. Despite the ease with which one would think social engineering cons could be avoided, they remain astonishingly effective.
A staggering 91 percent of cyber crime starts with email, according to a 2018 report by security firm FireEye. The firm refers to such incidents as "malware-less attacks," since they rely on tactics like impersonation to trick people into clicking dangerous links or providing sensitive info. Phishing, specifically, grew by 65 percent over the course of 2017, the company says, and mobile users are at the greatest risk of falling for it because of the way many mobile email clients display only a sender's name ― making it especially easy to spoof messages and trick a person into thinking an email is from someone they know or trust.
In fact, users are three times more likely to respond to a phishing attack on a mobile device than a desktop, according to an IBM study ― in part simply because a phone is where people are most likely to first see a message. While only 4 percent of users actually click on phishing-related links, according to Verizon's 2018 Data Breach Investigations Report , those gullible guys and gals tend to be repeat offenders: The company notes that the more times someone has clicked on a phishing campaign link, the more likely they are to do it again in the future. Verizon has previously reported that 15 percent of users who are successfully phished will be phished at least one more time within the same year .
"We do see a general rise in mobile susceptibility driven by increases in mobile computing overall [and] the continued growth of BYOD work environments," says John "Lex" Robinson, information security and anti-phishing strategist at PhishMe ― a firm that uses real-world simulations to train workers on recognizing and responding to phishing attempts.Robinson notes that the line between work and personal computing is also continuing to blur. More and more workers are viewing multiple inboxes ― connected to a combination of work and personal accounts ― together on a smartphone, he notes, and almost everyone conducts some sort of personal business online during the workday. Consequently, the notion of receiving what appears to be a personal email alongside work-related messages doesn't seem at all unusual on the surface, even if it may in fact be a ruse.
3. Wi-Fi interferenceA mobile device is only as secure as the network through which it transmits data. In an era where we're all constantly connecting to public Wi-Fi networks, that means our info often isn't as secure as we might assume.
Just how significant of a concern is this? According to research by enterprise security firm Wandera, corporate mobile devices use Wi-Fi almost three times as much as they use cellular data. Nearly a quarter of devices have connected to open and potentially insecure Wi-Fi networks, and 4 percent of devices have encountered a man-in-the-middle attack ― in which someone maliciously intercepts communication between two parties ― within the most recent
