How to secure mobile devices in a Zero Trust world: A guide
- 86% of enterprises are seeing mobile threats growing the fastest this year, outpacing other threat types
- 48% say they’ve sacrificed security to “get the job done” up from 32% last year
- 41% of those affected say the compromise is having major with lasting repercussions and 43% said that their efforts to remediate the attacks were “difficult and expensive"
Bottom line: The majority of enterprises, 67%, are the least confident in the security of their mobile assets than any other device or platform today according to Verizon’s Mobile Security Index 2019.
Why mobile devices are the fastest growing threat surface today
Verizon found that 86% of enterprises see an upswing in the number, scale, and scope of mobile breach attempts in 2019. When broken out by industry, Financial Services, Professional Services, and Education are the most commonly targeted industries as the graphic below shows:
The threat surfaces every organisation needs to protect is exponentially increasing today based on the combination of employee- and company-owned mobile devices. 41% of enterprises rate mobile devices as their most vulnerable threat surface this year:
Passwords and mobile devices have become a hacker’s paradise
“The only people who love usernames and passwords are hackers,” said Alex Simons, corporate vice president at Microsoft’s identity division in a recent Wall Street Journal article, Username and Password Hell: Why the Internet Can’t Keep You Logged In. Verizon found that mobile devices are the most vulnerable, fastest-growing threat surface there is, making it a favorite with state-sponsored and organised crime syndicates. How rapidly mobile devices are proliferating in enterprises today frequently outpace their ability to secure them, falling back on legacy Privileged Access Management (PAM) approaches that hacking syndicates know how to get around easily using compromised passwords and privileged access credentials. Here’s proof of how much of a lucrative paradise it is for hackers to target passwords and mobile devices first:
- With just a single set of legitimate Office 365 access credentials, hackers can initiate spear phishing attacks from within the organisation, stealing valuable customer data and initiating illegal wire transfers: Microsoft is the most phished brands in the world, due to the global popularity of Office 365. Just a single set of access credentials obtained can lead to hackers extracting a financial payback via wire transfers, gift cards, ransoms, and more
- 42% of financial services companies suffered a compromise that involved a mobile device this year, with 87% classifying the event as “major": Verizon found financial services companies are the most likely to be hacked on mobile devices, with 58% of the breach attempts being major with lasting repercussions
- Hackers' favourite way to gain access to any business is by using privileged access credentials, which are increasingly being harvested from cellphones using malware: Hacking organisations would rather walk in the front door of any organisations’ systems rather than expend the time and effort to hack in. It’s by far the most popular approach with hackers, with 74% of IT decision makers whose organisations have been breached in the past say it involved privileged access credential abuse according to a recent Centrify survey, Privileged Access Management in the Modern Threatscape.
Only 48% of the organisations have a password vault, and just 21% have multi-factor authentication (MFA) implemented for privileged administrative access. The Verizon study found that malware is the most common strategy hackers use to gain access to corporate networks. MobileIron’s Global Threat Report, mid-year 2018 found that 3.5% of Android devices are harboring known malware. Of these malicious apps, over 80% had access to internal networks and were scanning nearby ports. This suggests that the malware was part of a larger attack
Securing mobile devices in a Zero Trust world needs to happen now
Mobile devices are an integral part of everyone’s identity today. They are also the fastest growing threat surface for every business – making identities the new security perimeter. Passwords are proving to be problematic in scaling fast enough to protect these threat surfaces, as credential abuse is skyrocketing today. They’re perennial best-sellers on the Dark Web, where buyers and sellers negotiate in bitcoin for companies’ logins and passwords – often with specific financial firms, called out by name in “credentials wanted” ads.
Organisations are waking up to the value of taking a Zero Trust approach to securing their businesses, which is a great start. Passwords are still the most widely relied-on security mechanism – and continue to be the weakest link in today’s enterprise security. That needs to change. According to the Wall Street Journal, the World Wide Web Consortium has recently ratified a standard called WebAuthN, which allows websites to authenticate users with biometric information, or physical objects like security keys, and skip passwords altogether.
MobileIron is also taking a unique approach to this challenge by introducing zero sign-on (ZSO), built on the company’s unified endpoint management (UEM) platform and powered by the MobileIron Access solution. “By making mobile devices your identity, we create a world free from the constant pains of password recovery and the threat of data breaches due to easily compromised credentials,” wrote Simon Biddiscombe, MobileIron’s President and Chief Executive Officer in his recent blog post, Single sign-on is still one sign-on too many. Simon’s latest post MobileIron: We’re making history by making passwords history, provides the company’s vision going forward with ZSO. Zero sign-on eliminates passwords as the primary method for user authentication, unlike single sign-on, which still requires at least one username and password. MobileIron paved the way for a zero sign-on enterprise with its Access product in 2017, which enabled zero sign-on to cloud services on managed devices.
Mobile devices are the most quickly proliferating threat surface there are today and an integral part of everyone’s identities as well. Thwarting the many breach attempts attempted daily over mobile devices and across all threat surfaces needs to start with a solid Zero Trust framework. MobileIron’s introduction of zero sign-on (ZSO) eliminates passwords as the method for user authentication, replacing single sign-on, which still requires at least one username and password. ZSO is exactly what enterprises need to secure the proliferating number of mobile devices they rely on to operate and grow in a Zero Trust world.
Interested in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.
- » The CIO's role is moving to customer obsession - but many lack the tools to do it
- » Myth-busting mobile in the enterprise: Combining speed with sustainability in device rollout
- » How machine learning is helping to stop security breaches with threat analytics
- » Myth-busting mobile in the enterprise: The price of mobile lifecycle management
- » The changing role of the CIO: Evolution and embracing agile management