NordVPN Teams Report Spotlights Mobile, IoT Security Risks2 out of 5 data breaches linked to mobile and IoT devicesDe-perimeterization of enterprise networks puts company data at riskAccording to Verizon’s 2020 Mobile Security Index, 39% of organizations experienced a security compromise involving mobile or IoT devices. With increasing reliance on mobile gadgets, their protection became the fastest-growing cybersecurity category with estimated investments reaching $13 billion in 2019–2025. The usage of mobile phones has recently surpassed desktop with almost 53% market share worldwide. If workers often have separate computers for work, they usually use the same mobile device for both private and business matters. Enterprises are aware of this: 47% of them worry that employees might use mobile phones inappropriately, putting confidential work-related data at risk. “With remote work, dependence on cloud systems and increasing usage of mobile devices, we’re approaching the de-perimeterization of enterprise networks in 2021. Securing the mobile gadgets is one of the main industry trends of the upcoming year. The advent of 5G opens up new possibilities for cybercriminals to leverage vulnerabilities and compromise business data, thus enterprises should stay alert,” says Juta Gurinaviciute, Chief Technology Officer at NordVPN Teams. This year, hackers will employ a variety of methods to compromise mobile devices, ranging from social engineering to physical acquisition of a mobile device. Here are the 5 of the biggest threats mobile users will face. 5 main threats for mobile devices1. Social engineering. Human error and manipulation, popular techniques allowing hackers to compromise business data, was leveraged in a third of the breaches in 2020. The mobile world is no different nor is it safer, but the utilized mediums are more diverse. Only 15% of mobile phishing attempts happen on email, while the remaining 85% take place on messaging platforms, social media, gaming and other apps. The inability to keep work and private accounts separate also increases the chance of the user falling victim to a phishing attempt. Clicking on a link that looks like a private message might compromise work-related data and leak the credentials. Mobile users are also targeted by spoofed text messages – a tactic known as SMiShing. “Mobile email apps allow users to monitor messages in real-time, yet to accommodate the smaller screen, they display less information. Given this, it is harder to identify a forged email: sender information is hidden by default, and the overall message design is harder to evaluate. Users shouldn’t click any links and follow instructions until they can inspect the email on their desktops,” suggests Gurinaviciute. 2. Outdated services. Most Android devices are supported for just three years, and they make up almost 85% of the market. Some manufacturers fail to keep up with the security updates, yet they are not the only ones to blame, as the end user is responsible for applying patches on time. There are as much as 123,454 vulnerabilities in the wild, and some of them are exploited by hackers aiming at mobile devices. An average mobile phone has 40 apps installed, and hackers can utilize each of them if they’re neglected or unpatched. To mitigate the risk, ask your employees to remove the unused apps and turn on automatic updates, as manual updating is generally postponed. 3. Insecure authentication. One in four workers use the same password for every account, both work-related and private. Each mobile device contains dozens of sign-ins and they are usually default ones, consisting of names of their relatives, birthdays or even straightforward abcdef or 123456. Yet on mobile devices the problem of authentication gets more severe, as many apps use so-called ‘tokens’ to facilitate ease-of-access. Users can perform various actions without being asked to re-authenticate, as tokens help apps to identify and validate the devices. By obtaining them, hackers can impersonate legitimate users and compromise data. “Say, the user has accessed their company’s intranet on his mobile device, but forgot to log out after finishing the task. This leaves the session open and hackers can then explore the website's content and get their hands on the important data. It’s called improper session handling which is best avoided by always concluding the session after work is finished, or by automatic termination if the user is inactive for a short period of time,” advises NordVPN Teams’ expert. 4. Physical risks. The name says it all: whereas even laptops are usually tied to the workstations, mobile devices accompany their owners everywhere. With the phone's constant presence, employees can easily access work-related data anywhere whilst also contactable by both clients and colleagues at any time. The enterprises’ view on mobility is ambiguous: 46% of them fear that the possible loss or theft of mobile device can lead to a data breach. The possible loss of a mobile device is not the only physical threat to cybersecurity. Hackers utilize infrastructure to infect phones with malware when the user is not even aware of it. It takes only a few minutes of physical connection to install malicious apps and take control of the device. Take ‘juice jacking’, for example: hackers modify USB ports for free charging in public places so that they transfer malware to a connected device. “Phone owners should be especially cautious about spyware. Nowadays every mobile device is equipped with modern cameras, microphones, GPS chips, not to mention the amount of data transferred every day. When compromised, your phone gives away your whereabouts and actions. Users should also think about the permissions they grant for each app: are all of those necessary for it to function properly?” says Gurinaviciute. 5. Insecure connections. To save precious mobile data, everyone’s on the hunt for free Wi-Fi. However, mobile devices are as secure as their network connection, and public hotspots are usually highly vulnerable. They usually allow unauthorized access, meaning hackers can also reach the unsecured devices on the same network. This is especially the case with poorly secured IPv6 networks as they provide every device with a public IP address and potentially allow all incoming internet traffic to reach the internal network devices. Asking for credentials is by no means safer. Sometimes cybercriminals establish fake access points in high traffic public areas, such as malls or airports. When users connect to this spoofed “Free Airport Wi-Fi” or “Starbucks Open”, they’re sometimes asked to create a free account to connect to the internet. As people often use the same email and password combination for multiple services, hackers can compromise user’s private information and log into their other accounts. “Employees should be discouraged from using public Wi-Fi networks on their mobile devices, especially if work-related accounts are associated with them. The rule of thumb is to never provide any personal data or to access confidential information over public hotspots,” warns NordVPN Teams’ CTO. And 5 steps to use mobile for work safelyTo mitigate the risk, enterprises should collaborate with employees in creating resilient and secure digital workspaces.
Source: NordTeams VPN media announcement |