Pages

8 August 2022

Verizon: Mobile attacks up double digits from 2021

Allen Bernard

With the proliferation of mobile devices and hybrid work environments where employees often use their personal devices for work-related activities almost half (45%) of respondents of the Verizon Mobile Security Index 2022 said their organizations were subject to a security incident involving a mobile device that led to data loss, downtime or other negative outcome—a 22% increase over 2021’s numbers.

Of those respondents, 73% said the impact of the attack was “major” and 42% said that it had lasting repercussions. In 2021, less than half of incidents were described as major and just 28% were said to have had lasting repercussions, the report said.

Despite these results, 36% of respondents said that mobile devices are of less interest to cybercriminals than other IT assets—an increase of six percentage points from the 2021 MSI report.

“Mobile has historically been overlooked by information security teams, largely because these modern devices are perceived to be inherently safe and protected from legacy threats,” Michael Covington, VP of portfolio strategy at Jamf, an Apple device management company that contributed to the MSI report. “But the reality is that mobile devices are always on, always connected, and always vulnerable to risk.”
Insecure networks still an issue

Insecure networks such as public Wi-Fi accessed without a VPN or other security considerations remains a serious threat to mobile device security, the report said. Attackers can engage in man-in-the-middle attacks by tricking users into using rogue Wi-Fi hotspots or other access points set up and controlled by the hackers. Most (52%) respondents who suffered a mobile-related security breach said that network threats were a contributing factor.

With about 40% of workers away from the office most days, more business is being conducted using over home Wi-Fi and home broadband connections. Most (85%) respondents said their organizations allow the use of home Wi-Fi and cellular networks and hotspots or have no policy against them. Sixty eight percent of organizations have no policy prohibiting the use of public Wi-Fi.

According to the Proofpoint, 2022 State of the Phish survey cited in the 2022 MSI report, 3,500 working adults across Australia, France, Germany, Japan, Spain, the U.K. and the U.S. found that most employees or organizations did not undertake basic security measures to protect their home Wi-Fi networks.

Most (62%) respondents said they weren’t concerned about the security of their home network and close to 90% of the remaining respondents said they didn’t know how to secure their Wi-Fi connections.

“Mobile devices are now critical to how we work,” the report said. “With increased capabilities and expansive connectivity, we now have access to far more information and tools than we ever did in the days of desktops and personal digital assistants (PDAs). Partly driven by the growth in cloud-based applications, a smaller screen no longer means less powerful.”
Cloud apps a contributing factor

The use of cloud-based services likewise are causing mobile securing headaches, the report said. The simplified user interfaces of mobile devices make it easier for attackers using phishing attacks to obtain employee credentials. Employees can be targeted through multiple apps such as SMS, social media platforms and third-party messaging apps.

Likewise, as the number of apps continues to grow even non-malicious apps, including those downloaded from official stores such as Google Play and Apple’s App Store, can be a threat. Nearly half (46%) of respondents who suffered a mobile-related security breach said apps were a contributing factor.

The human element still a problem

Most (82%) breaches involved the human in the loop. Whether it’s hackers using stolen credentials, getting users to click on malicious links or download malware laden files using phishing, human error continues to cause incidents and breaches.

“Mobile security does not need to be another IT security headache. Organizations looking to reign in mobile risk should start with their policies and procedures,” said. “Instead of giving mobile an exemption to acceptable use policies and security requirements, businesses should treat mobile like every other endpoint.”

No comments:

Post a Comment