Verizon recently released its mobile security index for 2019. It paints an unbalanced cybersecurity picture by illustrating a lack of mobile incident response planning and a growing reliance on mobile devices in the workforce. The responses to Verizon’s survey showed that there was an increase from 27% in 2017 to 33% in 2018[i], in firms that admitted to a cybersecurity compromise where a mobile device played a role. The report also highlighted a shortfall in incident response cybersecurity strategy around mobile devices.
Does this mean you should ban all mobile devices from your network? Ideally, for the sake of cybersecurity and to make incident response easier, yes. In reality, no, that would be deemed crazy and may cause an employee revolt. However, it’s important to recognize the added threat that mobile devices bring into your system and ensure that mobile devices are part of your cybersecurity incident response plan.
And the mobile device survey says . . .
Cyber-attackers are changing their threat tactics and expanding their arsenals to be more effective in a mobile-first world. 51% of threat actors identified over the last year were targeting mobile devices in addition to desktop computers.[ii] Incident response strategies need to expand to include mobile devices in response. Employees using mobile devices are often able to access the majority of the same data as using fixed desktop computers. Therefore, a breach of a mobile device can be of equal risk to an organization. Out of Verizon’s survey, 41% of the company’s affected by a cybersecurity breach described the compromise as “major with lasting repercussions,” and 43% stated that remediating the cybersecurity attacks was “difficult and expensive.”[iii] Many admitted to not having a mobile incident response strategy in place.
67% of the organizations surveyed said that mobile devices were a weak spot in their cybersecurity defences and incident response strategy, yet only 45% had mobile endpoint security in place (for other protective cybersecurity measures like mobile anti-malware the numbers were even lower). 63% of companies that admitted to having a cybersecurity breach were notified of the incident by a customer, partner or by law enforcement, meaning that their mobile cybersecurity threat detection measures were inadequate. While cyber criminals and state-sponsored hackers are worrisome, employees took the number one position as the cybersecurity threat actors that most concerned respondents.
Staff members expose their organizations to cybersecurity risks frequently, sometimes knowingly, more often unknowingly. Careless human error, lost devices, public Wi-Fi, bending or ignoring established cybersecurity rules, all turn employees into threat agents. However, understanding the following four mobile variables and preparing an incident response plan will help to protect your organization.
User behaviour threats
How employees interact with technology impacts how secure your network is and must be integrated into your incident response planning. The FBI’s Internet Crime Complaint Center reported that in 2017, victims of cybercrime lost over $1.4 billion.[iv] Out of those victims, 48% of those cybersecurity breaches were due to compromised business email. Verizon also reported that users are three times likelier to click on a phishing link when on a small screen of a smartphone or tablet than when using a desktop operating system.
When designing an incident response plan, sketchy apps downloaded from unofficial places are not the only mobile cybersecurity worry for organizations – although those are of concern. Sometimes mainstream enterprise apps downloaded from official sources such as Google Play or Apple can be compromised or vulnerable due to poor coding practices. Compromised apps can lead to ransomware, malware, and cryptojacking being installed on the mobile device and in turn, potentially access your network.
Device threats can be as simple as losing the physical device, or a misplaced mobile device falling into the wrong hands. Building in strong passwords and remote wiping capabilities should be a proactive part of a mobile cybersecurity incident response plan. Of growing concern are the Internet of Things (IoT) devices because often they lack the storage or processing capacity required to run traditional cybersecurity protection methods. Also, because IoT devices usually run in remote locations, they are susceptible to physical tampering and can be harder to patch. IoT devices must become part of incident response planning.
On average, employees connect to 12 Wi-Fi hotspots each day. But not all hotspots can be trusted. Sometimes these hotspots are rogue access points in disguise as legitimate networks. Out of Verizon’s respondents, 81% of employees admitted to using public Wi-Fi for work, even in cases when its use is prohibited. Rogue access points can lead to a man-in-the-middle attack, enabling cybersecurity threat actors to capture transmitted data, including credentials, emails, and data submitted to web forms and therefore present a serious concern. Only half of the companies that Verizon surveyed had a cybersecurity solution in place as part of an incident response plan to encrypt all traffic and protect users from this kind of attack.
Take mobile cybersecurity and incident response planning seriousl
It is becoming apparent that organizations are not taking the same care in securing mobile devices as they are defending personal computers and servers. In a world fuelled by mobile devices, and with the growing reliance on IoT, securing mobile devices is of growing import and including them in incident response strategy is vital. Educating employees to ensure that they are practicing good mobile cyber hygiene(including robust passwords, and phishing identification) and making sure that mobile devices are part of your incident response plan helps to mitigate risk and is the foundation of an effective IT cybersecurity incident response strategy.
ISA offers security consulting and incident response strategy services that are designed to help organizations overcome the challenges with the implementation of security controls to efficiently and effectively mitigate risk. By understanding your organization’s current risk posture; a plan to reduce the risks associated with policy, process, and technology can be developed – essentially this is the basis of a strategic incident response plan. Cybersecurity incidents often begin with mobile devices, including social engineering via phishing emails, texts or phone calls. As a primary threat access point, it is important that mobile devices are included in cybersecurity incident response strategy.
Minimal incident response strategy
At the very least, as part of an incident response strategy IT should be logging, watching and alerting all mobile device use and the associated technologies that they run (like apps) whether IT performs these functions using standard mobile controls or via a mobile device management, an enterprise mobility management, or a unified endpoint management tool. Most mobile devices have multiple business assets stored on them (and sometimes these are the only copies of the assets) so backing up to a secure cloud service in case of mobile device failure, or loss, is also essential as part of the incident response strategy.
As your organization builds its cybersecurity incident response strategy to include mobile devices, any contractors, vendors or customer mobile devices that may access, store or process information on any of the business systems should as be included in the incident response strategy. When building out the incident response strategy, it is also vital that your organization, whenever possible, performs vulnerability and penetration testing on mobile devices. With more mobile devices being brought into the workplace, it is essential that a culture of cybersecurity and cyber accountability is created and that mobile devices are part of an organization’s cybersecurity incident response planning.