Cyber Security and the Threat of Mobile Devices: A Perfect Storm

Many years ago, I wrote several whitepapers for a company that made security products for network engineers. These engineers were tasked with protecting corporate networks, in part by identifying “rogue devices” on the network, which the security products helped them find. Back then, a rogue device usually meant a cell phone or laptop an employee brought from home and used on the network, putting the network at risk by circumventing firewalls and giving hackers access.

It seemed so high-tech back when I was writing those whitepapers, but that was a decade ago, and those same network engineers probably wish their lives were so easy now! Today mobile devices are so prolific, they’re almost an extension of our bodies and employees expect to be able to use them for work—even when they’re not at work. At the same time, companies continue to be lax in enforcing solid measures to protect their data and networks, despite the proliferation of mobile devices and the new mobile workforce.

Which throws one more cog into the already fast-moving wheel of cyber security: mobility.

Cyberattacks are increasing

Granted, it’s not just mobile devices that are compromising security and increasing risk. There’s also the simple fact that cyberattacks continue to increase each year. According to Statista, known data breaches in the U.S. went from 157 in 2005 to 1,579 in 2017. That’s a tenfold increase! Ransomware has made a huge jump in volume as well, with almost twice as many ransomware attacks in 2017 (160,000) as compared to the previous year (82,000).

It’s not just the compromising of data that’s the issue here. These attacks cost businesses money—a lot of money. Cybercrime is a global problem that could add up to $6 trillion in costs worldwide by 2021. Cybersecurity Ventures says this increase in cyberattacks “represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.” The situation is so dire that the World Economic Forum (WEF) launched a Global Centre for Cybersecurity earlier this year.

Cyber security and mobility

When the number of cyberattacks is increasing at a rapid pace and so is the use of mobile devices, we’re headed towards a perfect storm. It’s so bad that one article says mobile cyber security is already a “hellish nightmare” that’s getting worse. As Nick Ismail says in an article at Information-Age.com, “…mobility is the new front line for security as businesses weigh the advantages of an increasingly mobile workforce against the need to protect sensitive information in today’s complex cyber security landscape.” How bad is it? We now have a Journal of Cyber Security and Mobility that’s published quarterly.

Why is mobility such a problem for cyber security? It shouldn’t be. But neither users nor employers are taking the necessary steps to defend businesses against attacks made possible by our handy smart phones and tablets.

Users are increasing risk

Back when I was writing those whitepapers mentioned above, the network engineers called personal cellphones and laptops “rogue devices” because they didn’t want them used in the workplace—hence the term rogue. Today most companies have a Bring Your Own Device (BYOD) policy, and it’s assumed that employees will be using their personal smart phones, tablets and laptops to do work and access the corporate network. In addition, the workforce is much more mobile today than it was 10 years ago, and people are regularly working from a remote location.

And all that opens up several ways in for hackers. Kaspersky Labs describes seven ways employees’ mobile devices put corporate networks at risk:

1. Data leakage: Mobile apps are often the cause of data leakage because users give the apps on their phones all kinds of permissions without checking security. These apps can send personal and corporate data to a remote server.
2. Unsecured WiFi: When employees are out and about, they’re accessing corporate networks with little or no thought to the risk posed by public WiFi networks that are not secure, when at coffee shops, waiting airports, or even while at a sports event.
3. Network spoofing: Speaking of public places, network spoofing is another user-caused vulnerability. Hackers set up fake access points that look like Wi-Fi networks in high-traffic public locations such as coffee shops, but they are traps. When users are prompted to create an account to access this free WiFi, they typically use an email address and password they’ve used elsewhere. Then what? Then the hackers gain access to email and other secure information, including corporate data.
4. Phishing: Apparently, people checking email on mobile devices are much more vulnerable to phishing attacks since they check their email so frequently. In addition, on a smaller screen, it’s easier for a phishing email to pass as a legitimate one.
5. Spyware: Simply put, spyware is software that gathers data from a computer or other device and forwards it to a third-party.
6. Broken cryptography: Broken cryptography happens when app developers use weak encryption algorithms with known vulnerabilities because they want to develop the app faster. Broken cryptography also happens when app developers use strong encryption but leave open back doors.
7. Improper session handling: Improper session handling results from apps being built in such a way that users don’t have to re-authenticate their identity. Yes, this makes using mobile apps faster, but it makes it easier for a hacker to impersonate legitimate users.

But the companies are to blame too

However, we can’t place all the blame on the employees. Poorly done cryptography and app development that compromises security for speed are beyond the control of the user. But the organizations that employ these mobile device users are also at fault. This is in part because businesses are knowingly compromising security for financial reasons: The Verizon Wireless’ annual Mobile Security Index found that “approximately one-third of organizations have knowingly sacrificed security for expediency or business performance.”

Organizations are also at fault because they simply fail to act. Of those 162,000 ransomware attacks in 2017 mentioned above, 93 percent could have been prevented by keeping up with software updates, blocking fake emails, and training employees to recognize phishing attacks, according to the Online Trust Alliance.

And then there’s the shortage of cyber security professionals adding to the problem. Perhaps more organizations would take the steps to secure their infrastructures and data if they had the staff to do so.

The dire need for cyber security professionals

Obviously, we have a cyber security crisis that’s intensified by the mobility of today’s workforce. And we know cyberattacks will only increase in intensity. The result? The corporate world needs more people trained in cyber security—now. We already have a shortage of trained professionals. At the time of this writing, Cyberseek.org showed over 300,000 job openings in cyber security just in the U.S. Worldwide, experts predict we’ll have 3.5 million unfilled jobs by 2021.

If you’re considering a career in cyber security, your possibilities are endless and your future is secure. Plus getting started is easy. All kinds of cyber security certifications can be earned to launch your career. Most importantly, the world needs you, desperately, to fight cybercriminals and defend corporations and consumers alike. Ten years ago, it was a simple fight against “rogue devices.” Today the situation is dire, a “hellish nightmare” as we try to prevent the perfect storm from happening. Can you help to fight the good fight?