The ubiquity of mobile devices leaves organizations open to new risks, new vulnerabilities and new threats. Mobile security best practices for the enterprise need to start with a comprehensive analysis of the risks—which can come from unexpected new directions.
The new Spectrum of Mobile Risk report from Lookout lays out how enterprises should approach risk assessment in the mobile world. Using the Mobile Risk Matrix, enterprise security leaders can easily assess the risks to the mobile apps, devices, networks and content within their enterprise—the vectors through which enterprise data can be exposed to risk.
Let’s take a closer look at some examples in the Spectrum of Mobile Risk.
Network-Based Risks
Network-based attacks are a real problem. Lookout found that almost 1% of enterprise devices encountered a network-based threat, such as a man-in-the-middle (MITM) attack, in the past year. That may not sound like a big number, but if you have more than 100 employees using devices, it means it’s likely that your company will be subject to a MITM attack.
App-Based Risks
Similarly, employees may install apps that access more information than they realize. In order to enable an app to function, app developers often ask for a wide range permissions on the device, accessing and sometimes transmitting data including photos, documents, contact lists and messages. Often, such access may not be compliant with the enterprise’s risk policies as it pertains to sensitive enterprise data.
Lookout has a unique view into the mobile ecosystem because of the over 100 million devices from which we are able to collect security data. Lookout has obtained and analyzed over 40 million unique mobile applications and acquires up to 90,000 apps every day.
Looking at this data, we determined that 30% of iOS devices used in the enterprise contain apps that have the ability to read contact information on the device. Seventy-five percent of apps have access to the camera, and 43 percent have access to Facebook. Data left unprotected in this way could cause headaches for internal security and compliance teams.
Device-Based Risks
Once an attacker compromises a device, he can get access to any app or other piece of data, encrypted or not. For example, an exploit such as the highly sophisticated, targeted threat Pegasus had device-level access and was able to see all activity on the infected phone and siphon off large quantities of valuable and sensitive information. Pegasus waited until the apps eventually decrypted data in order to display it to the end user.
Attackers who are able to compromise the device are also able to achieve much stealthier spying operations. Because malicious apps often do not have the same permissions as a device-level attack, they sometimes set off alerts on the phone when accessing the camera, microphone or other elements. With a device compromise, an attacker can silently manipulate the smartphone without any indication to the user that something is wrong.
Web- & Content-Based Risks
Phishing attacks are one of the main ways attackers are able gain entry into the enterprise. By coordinating any of the above vectors, an attacker could gain enough information to impersonate an employee and gain deeper access into a system. Phishing campaigns executed via SMS messages are an example of a web and content threat.
Using the Spectrum of Mobile Risk & Mobile Risk Matrix to Protect Your Business
The risks are real. So how can enterprises respond effectively? We recommend conducting a matrixed analysis of the risks your enterprise actually faces.
First, consider the Mobile Risk Matrix, specifically the threats, vulnerabilities and risky behaviors and configurations within each vector. These components of risk, matrixed with the threat vectors, allow you to conduct a more complete and nuanced analysis of your enterprise risk profile.
For example, Lookout analysis of anonymized customer data reveals that over the course of two quarters, 47-out-of-1,000 Android devices in the enterprise encountered app-based threats, or malicious apps that could steal data, take over devices or give access to attackers. That’s an app-based threat; if you allow employees to use Android devices and they have free rein to install apps, your organization needs to be aware of this risk and take steps to mitigate it.
In our next blog post, we’ll discuss how enterprises can address the Spectrum of Risk through a comprehensive approach using both mobile management and threat defense tools to find and remediate threats as they happen. For more information and additional details on each component of the matrix, download our free, one-page Mobile Risk Matrix.
As chief product officer at Lookout, Santosh Krishnan oversees all Lookout’s predictive security solutions that protect individuals and enterprises alike from mobile attacks. Santosh is responsible for the ongoing development of Lookout Mobile Endpoint Security, providing enterprises with comprehensive risk management across iOS and Android devices to protect against app, network and device-based threats while providing visibility and control over data leakage. With a background in both product management and venture capital innovation, he and his team focus on how to protect against current security threats, while creating security to better prepare for the future.
Lookout is a member of the VMware Mobile Security Alliance. Learn more:
- VMware Mobile Security Alliance FAQ
- Unify Threat Security with VMware Mobile Security Alliance & AirWatch
- Expanding the Mobile Security Alliance to Secure the Digital Workspace
