Despite screaming headlines about the growing vulnerabilities of mobile devices and promises to take the matter seriously, both individuals and corporations alike are still essentially walking around with their pants around their ankles.
Over the past two years, the use of mobile devices, particularly in the workplace, has exploded. And after years of apocalyptic predictions about the security risks surrounding mobile computing, hackers have at last brought their full arsenal of tricks to bear on exploiting these weaknesses.
This assault has inspired a growing wave of startups that target mobile security while rushing to develop a host of innovative solutions and strategies. Venture capitalists have taken note, and have been pouring money into the sector.
But all these breakthroughs are not having sufficient impact because users continue to fail when it comes to backing up their talk about security with action. Indeed, in many cases, people and companies are not taking the most basic, simple precautions to protect themselves, ones that security experts have been advising for years.
“It’s shocking how little is being done,” said Matt Montgomery, director of the Wireless Business Group at Verizon Wireless. “Even things that aren’t revolutionary, like changing your passwords. Companies are not even implementing policies that are well established.”
Montgomery was particularly discouraged following the release earlier this year of Verizon Wireless’ annual Mobile Security Index. In a survey of 600 mobility professionals, the report found that “approximately one-third of organizations have knowingly sacrificed security for expediency or business performance.”
The authors of the report could barely hide their shock: “Think about that. One in three organizations that we work with, buy from, turn to for healthcare, and that govern the communities in which we live, have put speed and profit before the safety of their data — and our data. And that’s just the ones that are aware and willing to admit it. The number could be significantly higher.”
In general, cybersecurity has moved into an almost perpetual state of crisis, no matter what the device or network or platform. As a result, IDC projected that the spending worldwide on digital security will increase from $83.5 billion in 2017 to $119.9 billion by 2021.
As hackers continue to run wild, the World Economic Forum has tried to raise the alarm by announcing in January at its annual summit in Davos that it was creating a Global Center for Cybersecurity. The WEF wants to convene meetings with security companies, regulators, elected officials, and coders to create a better international framework for security. The hope is by creating a global approach, including assigning responsibility for breaches more clearly, it can bring a greater sense of urgency and new incentives for companies and governments to be more aggressive.
One of the WEF’s chief concerns is that the security terrain has shifted dramatically in recent years because mobile and the Internet of the Things are radically extending and reshaping the architecture of corporate networks. They have increased what security professionals refer to as the “surface” — that is, the size and number of points where hackers can find a weakness and burrow their way in.
On top of that, as more and more data moves to the cloud, the value of information that can be stolen has soared. That has, in turn, given a greater economic rationale for well-funded crime rings and state-sponsored hacking operations to invest big bucks in targeting these digital treasure chests.
“Our mobile future makes this exponentially more complicated,” said Derek O’Halloran, head of the WEF’s Future of Digital Economy and Society program. “These new players are sticking connectivity in everything, and they have even less experience in thinking through the variety of different risks. But the greater the surface gets, and the more powerful an attack can become, the more interesting it is to nation states and criminals.”
This is hardly a secret to corporate executives, who readily acknowledge they are under siege. As such, 57 percent of organizations surveyed recently by Thales and research firm 451 said they would ramp up spending on mobile security in 2018.
In the Verizon report, 85 percent of executives said their businesses face a “moderate risk” from mobile security threats, including 26 percent who labeled it a “significant risk.” Meanwhile, 74 percent said their mobile risk had increased in the past year, and 73 percent said they expected it to continue increasing this year.
But when asked about four fundamental security precautions (change all default passwords, encrypt the transmission of sensitive data across open public networks, restrict which apps employees download from the internet to their mobile devices, regularly test security), the survey found that only 1 in 7 companies followed all four recommendations.
“There was an affirmation that as more and more businesses got on mobile, they need to be concerned about security,” Montgomery said. “Then as you read deeper, they’re not doing much about it.”
Part of the disconnect between words and deeds, says John Gunn, chief marketing officer at Chicago-based OneSpan (formerly known as Vasco), is tension between security and user experience. Gunn said that security for mobile continues to be a battle between securing devices and countering exploits while maintaining a smooth customer experience that won’t frustrate users and require onerous authentication procedures.
For customers of OneSpan’s financial security products, primarily banks and financial institutions, figuring out this puzzle has become increasingly urgent as consumers rapidly embrace mobile banking.
“We need to have security,” he said. “But if we start imposing on people, if you have to go through all these types of security, they’re likely to go to another bank.”
Banks, and indeed just every type of business, are also in many ways trapped by the weaknesses of their customers and the evolving tactics of hackers. In some cases, hackers can reverse-engineer their apps and trick users into downloading them. In other cases, users download other apps with malware that can also grab their banking or personal information when they log in.
In its own recent security report, OneSpan found that corporate leaders in the financial sector were feeling pretty grim about the situation. The survey found that “52 percent of respondents say today’s schemes are too sophisticated and evolve too quickly for them to keep pace.” They also generally felt their customers lacked “sufficient awareness to protect themselves from socially engineered fraud schemes, and fraudsters have too much valid customer information at their fingertips that enables them to easily get around controls to prevent account takeover and origination.”
“Every year, banking institutions are spending more and more stopping fraud,” Gunn said. “And every year, their losses go up. The solution has to be more holistic.”
Indeed, the human factor remains the weakest of all links, both in terms of employees and customers. Both remain remarkably naive and careless when it comes to securing their personal devices, whether they’re using them at home or work.
Russian security firm Kaspersky said it found twice as much ransomware on smartphones in the first half of 2017 as it did for all of 2016. Android tends to be the worst. According to CVE Details, which tracks security issues, Android vulnerabilities increased to 842 last year, up from just 12 in 2014. But iPhones are not immune: iOS vulnerabilities more than doubled in 2017 to 387.
“There’s a little bit of hubris in users and developers,” said Robert Arandjelovic, director of security strategy at Symantec. “There’s this feeling of invulnerability, that iOS and Apple are infallible. Apple is not infallible. It’s just not targeted as much.”
Across the board, this has created a boom for cybersecurity companies.
Prague-based security leader Avast, which recently IPO’d on the London Stock Exchange, is expecting mobile security to play a bigger role in its future. Looking down the road at things like the evolving smart home, the company is investing in solutions that will provide security in the network for devices like connected cameras and speakers because users can’t place security software on each device.
“Mobile is very important to us, both currently and in the future,” said Avast CEO Vince Steckler. “For us, mobile is north of 10 to 13 percent of our revenue. Of any of the traditional security companies, we have the largest mobile base. And that’s because of our focus on providing our solution through the carriers.”
But the situation has also created a frenzy around cybersecurity startups.
In terms of funding for mobile specific security startups, that’s harder to separate out given that such solutions may be part of a broader product definition. But for both startups and traditional security players like Symantec, mobile security is seen as a big growth opportunity. Just last year, Symantec bought two Israeli endpoint security firms for undisclosed sums: Fireglass and Skycure.
“If you look at the market overall, the mobile threat defense space is very small,” Arandjelovic said. “It’s a problem that people are late waking up to. But it’s perhaps one of the fastest, if not the fastest, segment of market growth. This is something people are really glomming onto now.”
Many of those startups are trying to develop innovative tactics, often adopting the philosophy that it’s impossible to stop attacks and defend a perimeter. Instead, they have embraced strategies like “deception,” which places fake apps on employees’ phones that will lock the device if they are accessed; or “isolation,” which segments a corporate network so if someone accesses an employee’s phone they can’t enter the full network; or services that scan the so-called “Dark Web” to alert people when their stolen data is being bought and sold.
In the case of Singapore-based CashShield, rather than trying to keep hackers out, the company uses artificial intelligence to look at customer accounts in large enterprises across a wide range of industries. Increasingly, hackers are seeking to seize control of these accounts and use them to do things such as make unauthorized purchases or wreak other types of havoc.
The service constantly monitors such accounts for unusual or suspicious behaviors and alerts the company that someone may have gained access if it detects abnormalities. CashShield CEO Justin Lie said that by using AI, it can constantly inspect the huge volume of accounts at a scale that would be impossible for companies relying primarily on human analysis. The company recently announced that it has raised a $20 million round to expand its service that targets payment fraud and hijacked customer accounts.
“Most of the large enterprises are trying to create the perfect defense,” Lie said. “We try to prevent the stolen data from being monetized. If you can’t sell it, it decreases the incentive to break in.”