Convenience of mobile computing comes at a security cost
Companies can mitigate risk, increase protection with cyber insurance coverage
By Rodika Tollefson, ThirdCertainty
Companies and consumers are certain to plunge deeper into mobile computing in 2016, exposing themselves to a Pandora’s box of unprecedented security and privacy risks.
Meanwhile, a profound tempering force—the rise of cybersecurity insurance—will gain significant traction.
That’s the consensus of a group of security and privacy thought leaders interviewed by ThirdCertainty. Here is their assessment of how these intensifying developments will converge in the new year:
The human factor
Company decision-makers have their head in the sand with regard to security and privacy risks arising from the rapid adoption of smartphones and tablets in every aspect of work and home life. A recent IDology survey found that only 12 percent of the respondents—senior executives from across many industries—felt prepared to detect and prevent mobile fraud. And that number hasn’t changed for the past two years.
“The ease of conducting transactions and doing commerce on mobile devices is pushing more and more transactions in that direction,” says John Dancu, CEO of IDology. And where the general populace goes, opportunistic cyber criminals are sure to follow.
Almost two-thirds of American adults now use a smartphone, up from about a third of adults four years ago, according to the Pew Research Center. McAfee Labs predicts that by 2020, there will be 6.9 billion smartphone connections, compared to 3.3 billion in 2015.
Related story and video: As mobile banking explodes, financial institutions beef up app
Smartphones are all about convenience and functionality. By cramming more of both into the latest devices, device makers and the phone companies are creating more attack vectors for cyber criminals to exploit.
And as the bad guys do so, this should put pressure on the commercial sector to do something about it, says Geoff Webb, vice president at authentication security firm NetIQ. “Those two things are always in contention,” Webb says.
The technology factor
Smartphones and tablets are not tied to a fixed location. Plus, they come in a wide variety of customizable form factors, each model bristling with the latest sensor and data collection capabilities.
These cool characteristics make them significantly more complicated than desktop PCs to protect, says Bill Anderson, chief product officer OptioLabs, a mobile security vendor.
Consider that Anderson’s main mission, when he was cutting his teeth developing security features for Blackberry two decades ago, was to lock down smartphone email. Now smartphones have become as powerful as PCs.
“Every generation of smartphones added more and more capabilities,” along with new potential for exploits, Anderson observes.
Keeping mobile devices updated with security patches is complex. “The infrastructure isn’t designed or capable of reacting quickly to threats,” Anderson says.
The recent Stagefright exploit is a case in point. Stagefright exposed 950 million Android phones to corrupted video messages carrying malicious codes. Google pushed out a patch quickly. Yet Anderson estimates that only about half of the phones have been patched so far.
It takes time to create, test and deploy security patches for multiple operating systems on myriad handset models. And then the carriers—Verizon, AT&T, T-Mobile and Sprint in the United States and others internationally—don’t exactly relish their part in the process.
“The carriers are unwilling to distribute it too often because they’re big patches that require a lot of bandwidth,” he says.
The discovery of fresh security flaws in mobile operating systems, and the subsequent patching exercise, is following the same trajectory as what happened with desktop computing.
So it’s safe to say, there will be no shortage of freshly discovered mobile OS security flaws going forward. In a recent analysis of 7 million mobile apps on Android and iOS platforms, FireEye found a 188 percent increase in vulnerabilities since 2011 for Android and 262 percent for iOS.
“The phone is a mass pocket consumer platform,” Anderson says, “and, unfortunately, it is very easy to trick consumers.”
The exposure redoubles when employees take their mobile devices away from work premises and connect them to networks outside a company’s perimeter defenses. The devices can more easily become infected, and subsequently give an intruder access to a corporate network once the device returns inside the perimeter.
“It’s a very fluid situation, and it opens all kinds of creative avenues for fraud,” Anderson says.
Meanwhile, the bad guys aren’t holding back. The IDology survey discusses thriving mobile-based attacks and fraud schemes such as:
• Porting. Use of a call center to “port” ownership of a device to steal passwords.
• ANI spoofing. Launching a scam by making a call that seems to come from a victim’s phone number.
• SMS intercept. Intercepting SMS text messages to disrupt authentication and transaction confirmation as part of hijacking online accounts.
Observes Webb: “The problem is becoming more and more difficult to deal with because we’re interacting remotely with more and more organizations.”
To be sure, tech security vendors are hustling to give companies innovative technical solutions. Gartner research director Lawrence Pingree calculates global spending on security hardware and software will continue growing at a robust 9 percent a year clip, topping $99.2 billion by 2018.
A good chunk of that spending will go directly toward locking down mobile computing. A lot of work is being done, for instance, to create more robust online credentials, such as fingerprint readers and other biometrics, says Lance Cottrell, chief scientist of Ntrepid Corp.’s Passages security consulting arm.
However, Cottrell notes “there’s a lot of inertia to overcome, a huge amount of infrastructure built around the common ways to do things.” It could be another 10 to 20 years before secure means of identification are in place, he says. And that won’t happen without creating other problems.
“The bad actors are not restricted to only attacking in one way—so if you make that path more difficult, they’re going to move to the next easiest thing,” Cottrell says.
This omnipresent, constantly shifting threat gives impetus to the insurance industry’s efforts to bring to market affordable cyber liability policies. Indeed, organizations globally are on track to spend $7.5 billion on cyber insurance premiums by 2020, tripling the $2.5 billion spent in 2014, according to PricewaterhouseCoopers.
As technical solutions and insurance coverage converge, company decision-makers will have more and better options to implement risk mitigation strategies to fit the mobile computing landscape.
“Companies are looking to mitigate the risks by insuring … and insurance companies are looking at how to measure security in quantitative ways,” Cottrell says, adding that this is driving a lot of new research.
Cottrell, for one, believes the insurance industry could “force companies to implement solutions that really work, rather than being compliance-based.”
More stories on mobile computing and security:
Privacy fight looms over Verizon, AT&T tracking of cell phone users
Mobile payments get easier, but security questions remain
Facebook, Yahoo ease-of-use apps may open new security holes