WSJ.com | By Roberta Kowalishin and Jeffrey Shaffer, PwC – Who can imagine doing their work or running their personal life without a smartphone in hand? No wonder: in 2015, 86% of Americans ages 18 to 29 used these addictive productivity-drivers and boredom-killers, up from 52% in 2011, according to the Pew Research Center. Other age groups show similar high use. Yet for all their innumerable benefits, smartphones are among our most susceptible devices. And that makes them a big cybersecurity risk when used by employees for professional purposes.
This is an increasingly big issue now that “bring your own device” (BYOD) policies have enabled use of just one smartphone for both work and personal matters for millions of corporate employees. BYOD first came on the scene around 2009, as it makes sense for convenience and can also save money for organizations. But this approach has created security issues that corporate IT is still working to resolve. Indeed, smartphone adoption and the associated threats that go along with it have been growing at a faster pace than risk mitigation technologies, tools, and information programs. In fact, Kaspersky Lab counted 2.9 million malicious installation packages and 884,774 new malicious mobile programs in 2015 — a threefold increase from the previous year.
Consider this: a smartphone is a computer operating on both sides of corporate firewalls with a bigger “attack surface,” due to its multifunctionality and greater diversity of software than any device maintained inside corporate protections. This is especially true if the phone is used for both business and personal purposes together, as with BYOD. In this case, financial information, email password resets, and two-factor authentication texts all run through the device and create their own risk exposure. Without proper visibility and controls, a smartphone could create greater personal and corporate risks than an employee’s lost wallet.
Much of the smartphone weakness starts with apps, which can be, in effect, gateways allowing risk to enter your business environment. The average smartphone comes with more than 30 pre-installed enabled apps that many users may not even know about, much less need or control. Plus it is common to see a typical smartphone user download 50 to 100 more apps. According to mobile security researcher Appthority, 79% of mobile apps have risky or hidden behaviors.
Consider all of these factors together — plus the fact that a smartphone holds highly accurate location information and stores network credentials — and you can see why these devices pose a cybersecurity risk, especially when a business’s core information is being sent through it. In fact, according to Appthority, 85% of businesses have experienced a mobile security incident in the last year.
While the application layer is perhaps the most obvious weakness, the smartphone can also be vulnerable across hardware, firmware, mobile OS, and the device itself. The primary cellular networks of 3G and 4G LTE are well-known to users, but some other components of their phones are not. Communication mechanisms such as wifi, near-field connectivity, Bluetooth, GPS, P2P, and other synchronization services — all of which are capable of transmitting and receiving data — could be potential points of compromise. There are often more than 12 sensors on a smartphone that are able to send and/or receive information. With many of these sensors and protocols in the “on” mode by default, each represents a potential point that a threat actor may try to exploit or leverage to either collect data or use as a launch point for greater network access.
Moreover, with a huge selection of available devices — more than 24,000 variations of mobile devices, manufacturers, and operating systems exist just for the Android platform alone — it’s becoming challenging to monitor the many possibilities of incursion. Apple , which used to be perceived as a “safe” environment — like a walled garden — is now seeing an increasing level of malware threat in apps and core frameworks used by its developers. In fact, the fewer variations in Apple devices could also conversely create a more concentrated target for attackers.
All of this means that significant breach via a mobile device is only a matter of time. The goal of most threat actors is to gain administrative privileges and lateral movement through a corporate network. This is likely to occur using a smartphone in the not too distant future, if it has not already happened.
What Can You Do?
So how does an organization minimize the BYOD risk? A robust mobile solution is the best, but some good first steps could be:
– Creating employee awareness of the potential for data loss and the proper use and security practices of mobile devices is a good start.
– Investing in solutions that will allow high visibility and monitoring capability can put a company ahead of the game while others may choose not to act. Not becoming low-hanging fruit for the next bad actor is an initial step.
– Treating mobile as the organization would any other part of its network. The NIST Cybersecurity Framework has helpful guidelines in this aspect, with its focus on five actions: identify, protect, detect, respond and recover.
However, in the face of an evolving and multi-layered threat, generic smartphone solutions may just be a stopgap. Going forward, corporations would be wise to ensure that smartphone information risk programs and mobile security architectures are governed by a single team and created for the specific needs and use cases of the particular enterprise and their users. The threat intelligence lifecycle requires full-time attention for identifying, mitigating, educating, disseminating risk information, and reducing risky behaviors. Employees should be accountable too. Their awareness and adaptability will ultimately determine the strength of any system.
Identity authentication and management procedures are also an important part of helping employees manage this risk. A comprehensive program that recognizes the need and importance of using smartphone devices, while understanding it can be a mission-critical information risk, may better enable your organization to connect and protect physical, digital, personal, and business identities.
Read the original article on WSJ here.