Mobile Threat Blog

  • Mobile
    Security Insights
  • Mobile
    Threat Research
  • Mobile
    Security Tips

Have you bought into the myth that since mobile hasn’t been cited as the cause of major data breaches making the headlines,  it’s not a threat vector you need to defend against? If so, you just might be the next breach headline. We’re debunking this myth by showing how mobile ‘micro-breaches’ are happening everyday, behind the scenes, and undermining your overall enterprise data security.  

Breach Headlines Don’t Tell the Whole Story

Cyber security incidents that grab major headlines often involve a massive data breach, prompting security pros to focus their budget and defenses around the latest threats in the news.

Mobile breaches have not yet captured the same volume of headlines as traditional major breaches. But just because a purely mobile breach hasn’t made the news, doesn’t mean it isn’t important to know about and defend against. Think how long it took for most of the breaches you see in the headlines to become public. Think, too, about how many breach risks your enterprise may be ignoring because they are not making news.

Some security teams point to the lack of mobile breach headlines as a justification to delay or limit investment in a mobile security program, but managing security via the news cycle is a sure way to become the next headline.

Mobile threats are there whether you are looking for them or not

If you’re not monitoring for mobile threats, you aren’t going to see them. And, as we’ve seen, many companies aren’t reporting breaches when they occur. And, without full visibility, they may not understand the role that mobile played in the breach. If we look at companies that actually DO monitor their mobile environments for risk, we see that 67% of organizations said a data breach likely resulted from employees using their mobile devices to access sensitive company information. And 60% of organizations can tie a security incident to an insecure mobile app.  

The fact that companies are not reporting mobile breaches does not mean mobile breaches are not occuring.

Phishing is often at the root of data breaches and mobile is a growing threat vector

Most data breaches stem from an unauthorized party gaining access to privileged credentials, which often happens through phishing scams. In fact, Verizon’s Enterprise Solutions yearly report blamed 90% of corporate breaches on phishing.

A number of security researchers point to mobile as a growing phishing attack vector. Some reports estimate that mobile users are 3x more likely to fall victim to phishing. This makes sense considering both the time users spend on mobile devices (we’re all glued to our phones!) and the form factor itself.  On mobile, smaller screens can make it more difficult to visually assess whether a website/app or a URL is legitimate. Shortened URLs that hide the full URL are all too common in mobile emails and SMS and URL padding is a technique that is gaining traction in mobile to trick users into clicking phishing links.

Buzzword Alert: SMS phishing attacks are so common there’s even a term for it: smishing.

Mobile micro-breaches are contributing to phishing success

But why are phishing scams so successful? Phishing attacks are increasingly successful because they are becoming more targeted. Corporate address books and calendars used to be highly guarded and very difficult to obtain. However, in the mobile world, oversharing is the new normal, and users have been conditioned to grant access to address books and calendars to all kinds of apps, including flashlight apps. It is now trivial for apps to collect, harvest, and share corporate address books and calendars, all without IT supervision. Given the amount of mobile data available to bad actors, they can easily create emails that look like they come from an actual work colleague, pertaining to an actual work subject.

Think of how much information employees are sharing on their mobile devices. Then think about how each app developer that collects address books, calendars, and other sensitive data is incentivized to share that data with data aggregators, marketing partners, trackers, and other 3rd parties.  Oversharing creates micro-breaches that lead to massive data breaches. Rather than suffering one massive breach, most companies are experiencing “death by a thousand mobile micro-breaches”.  

Deep Thoughts: if your employees are willingly sharing sensitive information, is it actually a breach? Should that make the news?

Small mobile vulnerabilities add up to big data losses

Oversharing isn’t the only avenue for data loss. Small, unintended vulnerabilities, often in the mobile app backend can quickly add up to a major breach.  One example is Eavesdropper, where a single SDK vulnerability exposed hundreds of millions of call recordings and text messages when apps collecting sensitive corporate data were downloaded by over 180M mobile users. Without a mobile threat defense solution in place to scan for app risks, these micro breaches are invisible until they’re too big and it’s too late.

3 Steps for staying out of the data breach headlines

It’s pretty clear that mobile breaches are happening- whether or not they are making headlines.  Remember: mobile is an employee’s gateway to the cloud (internal or external), to corporate sensitive documents, and to each other. It’s vital to protect personal and corporate data against mobile threats because simply stated, mobile is the threat vector of least resistance for corporate breaches.  

If you want to be sure your enterprise is not the next data breach headline, there are 3 things you should do:

  1. Stop treating mobile like an insignificant risk – at both a micro and macro level, mobile is increasingly at the root of data breaches, now and going forward.
  2. Get a handle on the mobile risk in your organization – you need to understand all three mobile threat vectors: device, network and especially mobile apps. To do this, you’ll need a Mobile Threat Defense solution that analyzes and protects all three.
  3. Help your employees to make better choices online – provide them with a list of safe apps to install, educate them on data sharing and recognizing risky links and sites. When your EMM is integrated with mobile threat defense, enforcing some of these policies will be much easier.

It’s hard for mobile breaches to make headlines when companies aren’t monitoring for them. Do you still think the absence of headlines means you can put off investing in mobile security?  Now’s the time time to research and invest in Mobile Threat Defense before YOUR enterprise becomes a mobile breach headline.

Watch and share the video on this mythbuster: