Keeping corporate data safe is a constant challenge for many security professionals. Deploying the most rigorous security stack–including firewalls, intrusion prevention systems, network monitors, data encryption, two factor authentication, anti-virus software and endpoint security–takes a lot of effort. It is also a costly endeavor and one that can be wasted easily because the enterprise often overlooks one crucial access point — mobile phones.
By neglecting these devices, corporate and sensitive data is left open to the same hacker the enterprise tries so hard to keep out by protecting other access points.
Don’t ignore mobile security
In the UK, we’re a nation of smartphone-obsessed individuals. 3 in 4 people now use a smartphone, a number that has nearly doubled in five years according to a recent report from Google. These devices have become a staple of our work life, we take notes on them, take pictures of presentations, book travel and hotels, submit expenses and even join conference calls on them.
There’s very little these handheld pieces of technology don’t do.
Subsequently, it can mean there is more accessible data on them than we even realise, making them the perfect entry point for hackers to take advantage of. In fact, Intuit QuickBooks found that 71% of UK small business owners rely on mobile or web-based applications to run their operations. Despite this, the protection measures businesses take for mobile are not equal to the security measures that are implemented on the likes of PCs, laptops and servers.
If we fail to secure these devices they are at risk of harbouring malware and acting as a gateway for sensitive corporate data to be leaked.
It’s not that the UK doesn’t take cybersecurity seriously, because it’s clear that it does. After all, the Queen officially opened the Cyber Security Centre to aid in the UK’s fight against the growing force of hackers. Ultimately however it is not about the commitment to fight cybercrime, it’s about focusing efforts in the right places.
The mobile threat is real
So why should we take mobile security so seriously? Well, not only are hacks and hackers growing in sophistication, but the wealth of data that is open and accessible through these devices is extremely vast.
Last year, in August, Lookout discovered Pegasus a highly intricate piece of spyware that used three previously unknown vulnerabilities called “Trident’–subverting even Apple’s strong security measures. The spyware was able to access the camera and microphone, intercept text messages and alter existing apps to spy on any encrypted or unencrypted data.
This is the first active mobile threat Lookout had discovered so far that takes control of an Apple device with one-click, marking a new era of mobile hacking. Just think of the enterprise data and insider information a hacker could access using this type of spyware on a prominent security personnel’s phone.
It doesn’t stop there, however. Lookout recently released a deep dive report on ViperRAT, a complex surveillanceware tool which was targeting and spying on the Israeli Defence Force. Not only does this malware collect a significant amount of sensitive information from a mobile device, but the attackers seemed most interested in exfiltrating images and audio content.
Many of the samples are still active and are continuing to covertly copy files of interest from infected devices to attack controlled servers. The level of information the surveillanceware can gather from one device is astonishing – and yet we’re still failing to secure these device for both business and personal use.
With a simple click of a link, or opening an untrusted attachment or even downloading an insecure app, businesses are opening themselves up to breaches. In the first month of January alone attackers compromised over six million accounts. The damage an attack could have on a business is staggering, from revenue loss to reputational damage: it’s time to protect our weakest link.
The next step for the enterprise
The key message is that while security professionals deploy several layers of security for devices, it’s critical they no longer ignore the very real threat of mobile. Today’s increasingly digital world means working remotely is only likely to increase, as will the use of smartphones to access corporate information as employees work on the go.
This means smartphones desperately need the same level of protection we currently install on our desktops and laptops. By failing to address mobile security, it’s wasting time and effort on maintaining other security measures because hackers can still gain access.
G-J Schenk is VP international at Lookout, a global mobile security provider.