Majority of firms believe mobile workers have been compromised
More than half of organisations fear that increased mobile working means runaway cyber security risks, according to new report
A fairly damning set of figures finds that far from embracing mobile working, enterprises are mainly concerned about the security risks posed by mobile workers. In fact, 57% of organisations suspect that their mobile workers have been compromised or caused a mobile security issue in the last twelve months alone.
Interestingly, one of the main concerns was around use of public Wi-Fi, with a considerable 81% of respondents stating that they had seen Wi-Fi-related security incidents in the past 12 months. Coffee shops were blamed as the top venue where such incidents had occurred, followed by airports (60%) and hotels (52%). Other locations on the list including railway stations (30%), exhibition centres (26%) and on planes (20%).
As a result, a whopping 92% of companies said they were worried that their growing mobile workforce represents a rising risk of security issues. While the majority of organisations have embraced bring your own device (BYOD) policies, the vast majority (94%) said BYOD has increased mobile security risks.
The main method of defence used by companies surveyed was banning Wi-Fi, with more than a quarter (27%) banning use at all times, 40% banning use sometimes, and a final 16% planning to ban use of public Wi-Fi hotspots in the future.
The report, from iPass polled 500 CIOs and IT decision makers in the UK, US, Germany and France.
Of course, there are many different flavours of mobile security threat that contribute to the overall risk profile, from loss of corporate data through device loss, hacking, or wider network compromise due to unwittingly-compromised users bringing devices onto the corporate network. While banning Wi-Fi use or enforcing VPN use is one tactic, it clearly falls short of solving the mobile working security conundrum.
Mobile malware is a growing epidemic, for example, which is independent of Wi-Fi network use but could have serious consequences for enterprises. McAfee’s mobile threat report Q1 2018 claimed that a record 16 million users were infected with mobile malware in the third quarter of 2017 alone and predicted that the number would continue to rise. That rise can partly be ascribed to the range of vulnerabilities inherent in mobile apps. One group of University of Birmingham researchers recently found a security flaw that placed 10 million banking app users at risk.
Ilia Kolochenko, CEO High-Tech Bridge commented on that research and the wider vulnerability of mobile apps: “As much independent research continuously demonstrates, most of the mobile apps for any platforms are insecure and vulnerable and have been for many years. This can be explained by a lack of experienced developers, a careless attitude towards mobile application security in many organizations and the relative complexity of practical exploitation of mobile app flaws.
“In most of the cases, exploitation of a mobile app vulnerability requires some pre-existing conditions, such as an already installed malicious app on the same device or attacker’s access to the victim’s data channel (e.g. public Wi-Fi). All of this makes mobile apps a not very attractive target for cybercriminals, who would rather target the mobile backend – APIs and Web Services - which can be an Alibaba's cave in the case of a breach. While many companies do not even consider protecting the mobile backend with a WAF, believing that it is unnecessary, mobile apps are just the tip of the iceberg."
It is indeed quite an iceberg too, with news earlier this week a series of QR Code reader apps on Google Play were compromised with adware. The apps were downloaded more than 500,000 times before the malware was spotted, due to the attackers cleverly integrating a six-hour activation delay after download. Long enough to pass the Google malware checks at the time, and although that window has doubtless now been closed, it is equally certain that other avenues are currently being exploited.
High-Tech Bridge launched Mobile X-Ray in response to these threats, a free service that scans Android and iOS apps for OWASP Top 10 vulnerabilities and offers a free remediation report. The service has been used to scan more than 81,000 apps to date.