Every year, Verizon issues a Data Breach Investigations Report (DBIR) about cybersecurity and recent data breaches. The latest DBIR argues that mobile security is something of an oxymoron, that the very form of mobile has its own intrinsic security risks. The issue, despite inherent security risks, is that mobile is essential in today’s workforce. This means that it needs needs to be a priority, lest companies succumb to security breaches via their employees’ phones.
Mobile design and user interaction
Mobile security solutions abound, such as enterprise-grade VPNs, antiviruses, and more secure communication methods. However, despite these options, the DBIR states emphatically that mobile phones are more susceptible to social attacks than desktop or laptop devices. Social attacks include email-based spear phishing, spoofing attacks that try to mimic legitimate sites, and attacks via social media. Heightened susceptibility comes from mobile design and how users interact with their devices.
Design-wise, mobile screens are small, and users do not always see everything as clearly as they would on a desktop or laptop. Most smartphones do not allow viewing multiple pages side by side, so users must toggle between screens to check the legitimacy of email and website requests – realistically, most users do not have the patience for this.
Additionally, many mobile operating systems and apps restrict viewing of crucial security information. For example, on mobile, users are limited in their ability to assess the quality of sites’ SSL (secure socket layer) encryption. Even more egregious is that many mobile email apps hide certain parts of email headers, namely, email-source information, which is crucial for identifying fraudulent emails.
Mobile devices in general give prominence to actions like “Accept,” “Reply,” and “Send,” making it easy to respond to emails or message requests without thinking too much about where they come from. The way people use their mobile devices is the second issue that contributes to increased security risks. Mobile devices are always used while walking, driving, working, etc. Since users tend to multitask while on their phones, they are more likely to ignore security warnings or accept bogus requests.
The Verizon DBIR sums up the security risks facing mobile: “The confluence of design and how users interact with mobile devices make it easier for users to make snap, often uninformed decisions – which significantly increases their susceptibility to social attacks on mobile devices.” Unfortunately, just as the DBIR was able to identify all the weaknesses embedded in mobile security, you can bet that cyber thieves and cyber terrorists have spotted them too. It seems as if keeping data safe on a mobile is like fighting a losing battle. Can anything be done?
Three steps to increase mobile security
While the challenge is real, there are several things that companies and individuals can do to increase their security posture. First is mobile-only training for cybersecurity professionals to identify phishing and malware attacks. This will help them create security solutions designed to address issues specific to mobile.
The second step is to address the issue of limited availability of crucial security information, like websites’ SSL certificates and email headers that include the email-source. Toward this end, individual users and cybersecurity companies need to pressure the big OS companies, Google and Apple, to address these issues.
The third step, of course, is education. Individuals who do not pay attention to security issues do so at their own risk, but employees who use their mobile devices without paying proper attention put an entire company at risk. Therefore, everyone should be educated about potential security risks of mobile use. As users become more aware of potential security breaches when using mobile devices, they will be able to take appropriate preventive measures.
For additional resources and guidance, the Interfor team is here to help.