Verizon’s annual report highlights key trends in mobile security
Verizon’s annual Mobile Security Index is an authoritative annual report on the state of mobile security. It’s always an interesting read and gives an overview of the trends that our peers are seeing across the industry. What’s striking too about this year’s report is the way in which the pandemic and the move to widespread remote working have elevated the importance of cybersecurity in general, but in particular mobile security.
Pandemic, pandemic, pandemic
We see the massive impact the pandemic has had in a number of different ways. During the first wave we saw a huge wave of Covid related attacks taking advantage of the disruption to normal work and security practices which came about as a result of the rapid and unanticipated need to move to wide scale remote working. Employees were unfamiliar with the new processes. Inevitably there were shortcuts taken which led to a surge in cyber attacks particularly in the March April period of 2020 .
Verizon reported that COVID-19-related phishing and malware attacks increased from fewer than 5,000 per week in February 2020 to more than 200,000 per week by late April. In May and June, as countries started to ease lockdowns, threat actors stepped up their non-COVID-19- related exploits. This resulted in a 34% increase in all types of cyberattacks globally at the end of June compared to March and April.
But the longer term impact of the pandemic is really about the acceleration of the move to cloud and mobile access. 56% of companies use web-based productivity solutions, like Google Workspace (formerly G Suite) or Microsoft 365. And most are doing at least half of their processing and data storage in the cloud.
This in turn means a significant switch in security architecture. The front line of defense against cyberattacks has now moved firmly to protecting identity and endpoints. Many business systems are now hosted in the cloud and managed and secured by software vendors. And for Infosec teams this means that their focus must be on protecting the identities and the devices which are used to access these third party managed and secured systems.
Let’s go Phishing together
The report confirms once again that by far the most likely threat that employees face is a mobile phishing attack. According to the MSI report this is 26 times more likely than a malware infection. The reason this is so important is because now we rely on our identities to access critical business systems rather than our physical location.
There has been a massive increase in the number of phishing attacks. The report documents that a 364% increase in the number of mobile phishing attempts in 2020 versus 2019. Our own statistics show us that well over 60% of our partner organizations experienced a phishing attack in 2020, this is up from a figure of 34% in 2019. Traditionally phishing attacks were delivered over email. With mobile however email is only one part of a host of communications and collaboration services which are vulnerable to phishing. SMS has been a significant attack vector for a number of years. But the pandemic saw an explosion in the use of tools such as Zoom, Teams, Slack and WhatsApp for business communications. All of these systems are now being targeted by cyber criminals in order to harvest credentials.
Many devices, many networks
The report highlights the multiple ways in which devices themselves are vulnerable. The physical security of mobile devices is one area of concern: 71% percent of U.S. workers have allowed friends or family to use their work devices and over half (56%) of respondents said that they were worried about device loss/theft. But devices are also vulnerable to remote attacks unless you maintain good security posture. Unfortunately nearly three out of every 10 iOS, and nine out of every 10 Android devices were running an out-of-date version of the OS.
A second area of risk are Wi Fi networks. We’ve known for a long time that WiFi networks used in public places, like coffee shops and airports are easy to hack. We’ve been generally less concerned about WiFi in our homes, but it too has shown severe vulnerabilities. And now the hackers know that much of the working population is working from home. The opportunity to target those home users with drive-by attacks over WiFi is significant. All of this means it’s very important to ensure that all of your applications which handle sensitive data are using the most robust levels of encryption.
Another area that the report considers a growing area of concern is the misuse of mobile devices. This comes in two flavors. The first is the use of company owned devices to access inappropriate material or material which is not in compliance with the company’s acceptable use policy. There is clear evidence that the move to working remotely has led to a significant increase in this kind of misuse, almost inevitable when devices are no longer within the more controlled environment of the corporate network. Verizon reports a 600% increase in the number of visits to websites hosting adult content. Restricting access to these types of sites is not just about appropriate use : sites hosting adult or illegal content are notorious for harbouring malware and other dangerous content.
The second area, and in many ways, the much more troubling one is the increased use of unsanctioned cloud services. The growth of shadow IT was of concern to 5 out of 6 respondents to the Verizon survey. With reduced technical and physical supervision the temptations to use unsanctioned cloud services is significantly increased. Easy to sign up for and often initially free to use, such services are seen by employees as a zero cost way of improving productivity. However this often means that confidential corporate information is ending up on insecure systems which have not been formally evaluated or authorized by your IT team.
The regulators are coming…..Really
Operating as we do across Europe and North America we have long been aware that it was only a matter of time before enhanced privacy regulation would begin to bite in the US. California led the way but others are now catching up. To quote Verizon ”Since our 2020 report, U.S. legislators have had a general election and a pandemic to contend with. Despite this, Nevada signed new comprehensive privacy legislation and Iowa, Michigan, Mississippi, New Hampshire, South Carolina, Virginia and Wisconsin joined the list of states working on such rules. This means about half of Americans now live in a state where comprehensive privacy legislation has been enacted or is going through the legislative process.” This means that the cost of cyber breaches has just ratcheted up – it’s not just direct financial loss, operational disruption and reputational damage – businesses now also have to contend with the impact of time consuming regulatory actions and fines.
It’s not all bleak though
Cloud and mobile technology has made our business systems immeasurably more resilient than in the past. Over the course of a few days we saw offices across the globe empty as employees took up residence at their kitchen tables, in their bedrooms and their home offices whilst continuing to be productive and for the most part secure. But as the Verizon report confirms there are gaps. As with any change the key is about resource allocation. Less time and money will be spent on in-house network focused security and more on protecting identity, securing devices and governing application usage. We’re all on this journey together and we’re confident that our increasingly digital world can emerge safer, more resilient and more productive once we learn from the lessons of the last 12 months.