Lost or missing devices are a fact of life for most organizations, yet many companies still fail to use whole-disk encryption. And then there’s the challenge of keeping all devices patched and updated.
According to MobileIron, 31% of devices were found to harbor known threats. That's almost unchanged since 2018.24
This year, our study looked at businesses of all sizes, from those with fewer than 100 mobile devices to companies with 10,000 or more. And all of them were worried about the same types of device threats, from lost devices to OS vulnerabilities.
Imagine your mobile phone suddenly displayed the message “no network"; what would you think? You’d probably roll your eyes and blame your provider. You might try shifting location, and when that fails, go for the dreaded restart. What if it still isn’t working? Would you suspect that somebody had hijacked your number and was now getting all your texts and calls? You might think that a bit of peace and quiet would be a nice change, but remember that those messages might include two-factor authentication texts and calls about resetting passwords.
SIM swapping involves an attacker researching the victim to gather personal details like their date of birth and address. They then call up the mobile phone provider, impersonating the victim, and ask to transfer the target phone number to one owned by the attacker.
It’s a growing threat. Based on the number of incidents reported to the FBI’s IC3 unit, the number of successful attacks has almost doubled year-on-year since 2016.25
Social engineering is real, and it works.
Many people think they won’t fall for social engineering, but it doesn’t always take place over email or the phone. You never know who might be watching you in public. Imagine you’re sitting on a train with your laptop and a coffee. The coffee cup has your name on it, and your company’s logo is visible on your desktop. With just those two pieces of information, a hacker sitting behind you could do a frightening amount of recon.
It only takes a quick search using those two bits of information for the hacker to find your LinkedIn page with a list of your colleagues and workplaces, past and present. Maybe it will also bring up an Instagram or Facebook page, or if not yours, then somebody else’s that mentions you— for example, in a caption: “Dave at the XYZ company Christmas party.”
The hacker won’t be interested in your family photos, but what about your contacts? Your grandmother’s surname is your mother’s maiden name. And what about your child’s birthday or the date of your wedding anniversary? These are often used to create “stronger” passwords.
The vast majority of attacks don’t depend on physical access to the device. But if attackers can get it, access opens up a lot of opportunities to do damage.
Even just a few minutes of physical access to a mobile device is enough to install something malicious, such as stalkerware. This is readily available on the internet and allows the attacker to eavesdrop on everything the victim does: emails and text messages they send and receive, photos they take, where they go. Attackers can even watch and listen to victims through the device's camera and microphone.
The office environment is normally seen as a safe zone, with laptops and other devices often left unattended. With many people working in open- plan offices and hot-desking, this provides lots of opportunities to insert something malevolent into a port. Stalkerware might also be used by an abusive partner or other individual. While poking into work files might not be the primary motive, it would likely be enough to break compliance rules.
Juice jacking is the use of modified USB ports—typically presented as free charging in public spaces—to install malware on a device.
IBM found that most travelers have connected their devices to a public USB port or charging station.26
Loss and theft
Everybody loses stuff, including expensive devices packed with valuable information. They leave devices in taxis, on trains, at restaurants—the list goes on and on. Some of these will end up in lost and found, others will find a new owner.
Some 83% of organizations said they are concerned about device loss/ theft, and 20% of those felt that their defenses were inadequate to deal with this threat—despite it being one of the easiest types of attack to prepare for and mitigate. Encryption and remote wipe are now standard with many common user devices, but that doesn’t mean that companies are using them.
These are basic precautions that don’t cost a dime but could prevent a device that falls into the wrong hands from leading to a compromise.
The volume and variety of connected devices is growing rapidly. Eighty-four percent of organizations said that IoT devices are crucial to their digital transformation. What are the risks of IoT, and how can your organization stay prepared? We explored the state of IoT device security.
Only 37% of companies in a VMware customer survey said they were using whole-disk encryption (WDE) on laptops.27
According to Symantec's latest data, 5% of enterprise devices don’t have encryption enabled, down from 11% the previous year.28
Two percent of corporate and 6% of all devices using Wandera's device management didn’t even have a lock screen enabled.29
Out-of-date operating system (OS)
It’s not just the major OS updates that matter. Threats are evolving all the time. Missing an update, even a minor one, can put mobile devices at greater risk. How many people can honestly say that they’ve never clicked “Remind me later” when asked to update? Can you?
There are several factors driving the lag between OS updates being released and users installing them. First, device replacement cycles are growing. Just a few years ago, people were queuing around the block to upgrade to the latest iPhone. But devices are now extremely advanced and innovations less dramatic—typically, most new features are software and hardware updates focused on improvements to cameras. With fewer “must have” advancements many owners are prepared to hold on to their devices longer.
Second, many software updates aren’t that compelling for users. Often, they only bring minor changes to functionality.Since users know they’re not going to experience much of a difference, they may think the hassle of upgrading isn’t worth it and delay it as long as they can.
There are many other reasons that updates are sometimes delayed, including device settings. For example, many devices have a setting to wait until the user is connected to a Wi-Fi network to execute updates over a set size, and most OS updates are quite big.
But many companies aren’t taking advantage of the update policies that are built into their managed Android devices. According to IBM data, almost half (49%) of enterprise devices are being used without any managed update policy— the decision to update is being left up to employees. Just 21% of these devices are set to immediately install system updates—see chart the below.
24 Based on aggregated usage data, MobileIron, January 2019 to September 2019
25 High-Impact Ransomware Attacks Threaten U.S. Businesses And Organizations, FBI, 2019, https://www.ic3.gov/media/2019/191002.aspx
26 Travel Cybersecurity Study, based on online interviews with 2,201 U.S. adults weighted to approximate a target sample based on age, race/ethnicity and gender, IBM and Morning Consult, May 2019, https://www.ibm.com/downloads/cas/ZP95XZ6O
27 VMware customer research, 2019
28 Based on analysis of Symantec Endpoint Protection users, Symantec, January 2019 to December 2019
29 Analysis of common configuration vulnerabilities in production enterprise mobile devices, Wandera Threat Research, November 2019 to October 2019
30 X-Force Threat Intelligence Index, IBM, 2018, https://www.ibm.com/downloads/cas/MKJOL3DG
31 Data supplied by Wandera, November 2019
32 Data supplied by Wandera, November 2019
Services and/or features are not available in all countries/locations, and may be procured from in-country providers in select countries. We continue to expand our service availability around the world. Please consult your Verizon representative for service availability. Contact us.