Mobile Security Report

FROM THE EDITORS AT CYBERSECURITY VENTURES

2017 EDITION

The Mobile Security Report — sponsored by Snoopwall — provides chief information security officers (CISOs) and IT security teams with market statistics and trends in the mobile security industry.

THOUGHT LEADERSHIP

Cybersecurity Ventures predicts Wi-Fi and mobile devices will account for nearly 80 percent of IP traffic by 2025

BYOD and mobile apps will pose a major security threat to the enterprise over the next 8 years.

kacyzurkusbwKacy Zurkus

Menlo Park, Calif. – May 4, 2017

Mobile devices in the workplace are the proverbial Pandora’s box that has been cast wide open. There is no turning back from BYOD, but accessing corporate data from mobile devices poses threats to the enterprise and has security practitioners searching for ways to mitigate the risks inherent in mobile security.

Looking ahead, it’s clear that mobile security threats will continue to evolve. According to John Stewart, senior vice president, chief security and trust officer, Cisco, “Digital traffic continues to increase as we sprint into the Zettabyte Era, with global annual totals projected to triple in three years. By 2020, wireless and mobile device traffic will account for two-thirds of total global IP traffic.”

DATA POINTS

Insightful wireless and mobile statistics from Cisco and Cybersecurity Ventures covering the ten year period from 2015 to 2025:

  • Cybersecurity Ventures predicts that smartphones will account for more than 55 percent of total IP traffic in 2025.
  • Cybersecurity Ventures predicts Wi-Fi and mobile devices will account for nearly 80 percent of IP traffic by 2025.

The predictions by Cybersecurity Ventures are based on synthesized research from numerous sources around future Wi-Fi device and mobile phone shipment estimates, Wi-Fi device and mobile phone data and technology usage, and other Wi-Fi and mobile statistics, resulting in composite view estimates for 2025.

MOBILE TRENDS

The biggest trend in mobile security is dealing with the BYOD challenge. “People bring their own devices to work and want to use those devices on corporate or government networks,” said Gary Miliefsky, CEO, SnoopWall.

Given that the majority of consumers have no idea what mobile device hygiene means, employees are putting their organizations at risk. The challenge for security teams has become making employees happy while also securing the enterprise.

In a report published by Forrester Research, “Navigating the Future of Mobile Security,” Stephanie Balaouras, vice president, research director and Andras Cser, vice president, principal analyst wrote, “The single most important ingredient in making employees happy is being able to get things done that they feel are important — and mobile plays a key role.”

Balaouras and Cser found that, “Just like customers, employees have expectations for their mobile experience. They are no longer willing to wait around for S&R (security and risk) leaders to provision them with the mobile devices, apps, and access they need to do their jobs effectively.” One of the most challenging trends in mobile security, however, is that employees don’t fully understand the risks inherent in mobile devices.

grayfooterline
RELATED: Free NetSHIELD Cyber Threat and Vulnerability Assessment from Snoopwall
grayfooterline

Because malware nowadays is virtually undetectable, according to Miliefsky, most devices are exploited by adware, creepware, or malware. “There are four exploit vectors that run in the background all the time. People want to listen to music, use their phones as alarm clocks, run the emoji keyboards, and run a flashlight app.”

The lack of security in mobile apps combined with the access privileges that they are granted in the privacy agreements are one reason why mobile is so risky.

The advent of free apps is what Miliefsky called a dirty little secret. “Apps used to cost money. Developers sat in a room and got paid for something. Once they realized that collecting keystrokes and accessing contact lists for marketing purposes was more lucrative, though, apps started to make a lot more money by spying on customers.”

Phones have become creepware devices in people’s pockets, and they are bringing those to work, Miliefsky said.

There is a growing range of creepware, and developers use apps to monetize people with their permission. “They collect data off devices, which makes the consumer angle the first problem. They are leveraging the fact that people are going to be lazy,” Miliefsky said.

When consumers are lazy, their own PII (personally identifiable information) is exploited, but it’s not just consumer information that people are accessing on their mobile devices. Balaouras and Cser wrote, “Many employees access sensitive content such as customer information, nonpublic financial data, intellectual property, and corporate strategy materials from their mobile devices.”

grayfooterline
RELATED: Do you know who’s on your network? Get the facts now.
grayfooterline

The phone or tablet then becomes the back door. “The real issue,” said Miliefsky, “is employees are coming and going. I can lock down the network, and then along come employees with Trojan horses on their mobile devices.”

In order to address the challenges in mobile security, security teams need to educate employees about mobile hygiene. They are tasked with enabling the shift toward more mobile initiatives in a way that also addresses mobile security risks.

Major corporations are talking about putting tablets on WiFi to enhance the customer experience, but they need to keep in mind that records can be stolen over wireless and most apps are written for convenience. Security is an afterthought, if it is considered at all.

Even the trusted apps are potential viruses because of the data they collect, so practitioners will need to approach mobile security in a different way. “The privacy of data is sacrosanct, so they need to think about sandboxing, where only good apps can run and geo-fencing, hardening and locking everything down during work hours or while on premise,” said Miliefsky.

The lack of security in mobile applications makes the employee’s phone or the customer designed tablet a security threat, but Balaouras and Cser wrote, “In December 2016, cybercriminals accessed the sensitive data of 34,000 patients of Quest Diagnostics via the firm’s mobile health app.”

grayfooterline
RELATED: 7 Secrets of Offensive Security: INFOSEC Best Practices for Data Protection and Compliance
grayfooterline

“When it comes to customer-facing applications, security teams have no purview to install anything on their device — they have to build security into the application itself,” wrote Balaouras and Cser.

The lack of mobile application security coupled with the rise in fake mobile applications that have appeared in both the Apple and Android app stores, said Miliefsky, means that security teams have to look for nextgen mobile device security.

Agility is key to overcoming the challenges that security practitioners will face in mobile security. Exploring solutions to mobile threats in a way that enables productivity while enhancing security across devices will increase the organization’s overall security posture.

“The refocusing of cyber threats from PCs and laptops to smartphones and mobile devices is requiring CISOs and IT security teams to develop more expertise and spend more time on mobile security” said Steve Morgan, founder and Editor-In-Chief at Cybersecurity Ventures. “The IP traffic statistics suggest this trend will continue through 2025, and we believe mobile security will become one of the biggest challenges and spend areas through that time period.”

Kacy Zurkus is a freelance writer for Cybersecurity Ventures and has contributed to several other publications. She covers a range of cybersecurity and cybercrime topics.

grayfooterline

© 2016-2017 Cybersecurity Ventures. All rights reserved. Federal copyright law prohibits unauthorized reproduction of this Report by any means and imposes fines up to $150,000 for violations. Reproduction in whole or in part in any form or medium without expressed written permission of Cybersecurity Ventures is prohibited.