Mobile as a threat
Martin Morris discusses the problem of IP theft, data leakage, phishing and Wi-Fi interference be addressed as mobile threat looms large for corporates.
Martin Morris discusses the problem of IP theft, data leakage, phishing and Wi-Fi interference be addressed as mobile threat looms large for corporates.
The growing use of smartphones, tablets, laptops and other portable devices self evidently raises the security threat for enterprises, if only because there are an increased number of ‘points of contact’ available to be exploited by would be hackers.
Cybercrime numbers speak for themselves – RiskIQ estimating that companies globally lose an estimated $1.5 trillion annually, due to security breaches.
Criminals are employing multiple tactics, ranging from malvertising to phishing and supply chain attacks. Phishing attacks alone cost an estimated $17,700 per minute, while global ransomware events in 2019 were projected to be the equivalent of $22,184 per minute.
Cybersecurity Ventures, in its 2019 Annual Cybercrime Report, estimates cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. Putting that into perspective that means cybercrime is more profitable than the global trade of all major illegal drugs combined.
While these various numbers may be open to question/interpretation it is blindingly obvious a major problem exists ‘out there’ – either through consumers being duped online by scammers or companies coming under increased threat due to employee use of mobile devices outside the office.
State sanctioned intellectual property theft has long been a festering sore while extended supply chain threats have increasingly been challenging organisations’ broader business ecosystems.
Attack strategies employed by cybercriminals have slowly evolved towards ‘back door’ methods to exploit third- and fourth-party supply chain partner environments as a means of gaining entry to target systems. In short, an extended network is only as strong as its weakest point.
Less reported has been the role of employees. Indeed, whether by accident or design, many employees are often the root cause of successful cyber attacks, according to Accenture in its 2018 State of Cyber Resilience survey.
It identified the accidental publication of confidential information by employees and insider attacks as having the greatest impact, second only to hacker attacks in successfully breaching organisations.
Four years on after mobile web traffic surpassed desktop for the first time (source Blue Corona) smartphone use globally is projected to total 3.5 billion this year; up 9.3 percent on 2019 and equivalent to a market penetration rate of 45.4 percent, based on a global population of 7.7 billion (source: Statista.com)
Beyond data leakage – where mobile users give permissions to apps on their phones without checking their security first, thereby potentially allowing sensitive data to be forwarded on, phishing attacks continue to be de rigueur for many would be hackers.
This is due to smartphone users being more likely to check their e-mail more frequently and more likely to make a mistake by clicking a dodgy e-email link.
Also worth noting is that app developers sometimes speed up the development of their apps by employing weak encryption algorithms or failing to require users to re-authenticate their identities. Either way, for the end user, it’s a potential recipe for disaster.
Meanwhile, that other old favourite, spyware, which can gather data from your laptop/ smartphone and forward it to a third-party, remains a weapon of choice for hackers.
Unsecured and public Wifi networks in places such as coffee shops are similarly part of the hacker’s playbook. Yet if it seems obvious that most mobile device users will treat these networks with some degree of caution, more often than not they won’t.
Far more sophisticated however is the spectre of so-called network spoofing.
Think of an employee catching up on work (and accessing corporate information) in an airport lounge, for example. In the network spoofing scenario hackers set up fake access points that look like Wifi networks. Or to put it more generally, disguise a communication from an unknown source as being from a known, trusted source.
Users are then prompted to create an account to access this free WiFi. More often than not, they’ll use an email address/password previously used elsewhere. Hackers, unsurprisingly, will be delighted, given they only need one successful attempt (in this situation) to potentially wreak havoc.
Also needing to be factored into the equation is the use of weak passwords – more so where a company employs a ‘bring your own device’ policy- meaning employees use the same smartphone for work and private purposes. This is compounded by many employees not using a two-factor authentication policy to confirm who they are.
Employers meanwhile don’t do themselves any favours, given the tendency of the security function inside companies to be centralized, and with staff less involved in the development and roll-out of new products, services and so on. This can lead to less accountability and the attitude that security isn’t everyone’s responsibility.
The obvious remedy of course is to provide more training, through the use of phishing tests for example, and help employees better assess what the risks are to the company.
Threats may come from within – a rogue employee ‘insider’ for example – or from the outside as companies increasingly use sub-contractors that may have less robust networks from a security standpoint. Either way, companies need to keep on top of their education and training to allow for any such eventualities. This means making sure human resources, learning and development, as well as legal and IT teams work closely with the security office and business units.
An additional layer that can be incorporated is buttressing the company’s employee monitoring policy through the use of monitoring apps on individual devices. This will allow the company to determine online activity on the device, as well as where it is.
Yet this will only be relevant if measures are in place to respond to any security breaches. Such a response, obviously, will need to be timely in order to limit any potential damage.
On the face of it the growing threat to corporates from cybercrime has long been acknowledged and it wouldn’t unreasonable to believe companies are more ready to deal with such threats now than they previously were.
Yet Hiscox’s 2019 Cyber Readiness Report, which polled 5300+ companies (of various sizes and industrial sectors) across Western Europe and North America, would appear to suggest otherwise.
Despite increased regulation and a number of high-profile breaches, firms actually achieved lower scores in the global insurer’s latest report with 74% of companies polled failing to reach the threshold for expertise in ANY area under its cyber readiness model.
The cyber readiness model measures how closely firms match up to what counts as best practice. Respondents are asked a series of questions covering their approach in four areas – strategy, oversight and resourcing on the one hand, technology and process on the other.
Companies are then invited to tell Hiscox how closely their way of doing things aligns with a well structured, rigorous and effective approach.
Respondents are scored on each answer and then ranked on a scale from ‘cyber novice’ and ‘cyber intermediate’ to ‘cyber expert’. Firms that score four or more (out of five) on both axes qualify as experts. Those that achieve that score on one axis but not both are intermediates. Those that fall below a score of four in both departments are determined as being novices.
Assuming companies will tend to overstate their levels of expertise, the problem highlighted by Hiscox is likely to be worse than stated.
Companies may also be deliberately sacrificing security on the altar of growth – after all, reducing the security threats costs money threat means more money – money that some managers may believe is better deployed elsewhere.
Irrespective, the message is clear, there is a very real problem in cyberspace; a problem that won’t be going away anytime soon. And one that will continue to require senior management attention, whether companies like it or not.