Convenience of mobile computing comes at a security cost

Companies can mitigate risk, increase protection with cyber insurance coverage

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

Com­pa­nies and con­sumers are cer­tain to plunge deep­er into mobile com­put­ing in 2016, expos­ing them­selves to a Pandora’s box of unprece­dent­ed secu­ri­ty and pri­va­cy risks.

Mean­while, a pro­found tem­per­ing force—the rise of cyber­se­cu­ri­ty insur­ance—will gain sig­nif­i­cant traction.

Relat­ed: Explor­ing the Next Phase of the Cyber Insur­ance ®evo­lu­tion

That’s the con­sen­sus of a group of secu­ri­ty and pri­va­cy thought lead­ers inter­viewed by Third­Cer­tain­ty. Here is their assess­ment of how these inten­si­fy­ing devel­op­ments will con­verge in the new year:

The human factor 

Com­pa­ny deci­sion-mak­ers have their head in the sand with regard to secu­ri­ty and pri­va­cy risks aris­ing from the rapid adop­tion of smart­phones and tablets in every aspect of work and home life. A recent IDol­o­gy sur­vey found that only 12 per­cent of the respondents—senior exec­u­tives from across many industries—felt pre­pared to detect and pre­vent mobile fraud. And that num­ber hasn’t changed for the past two years.

The ease of con­duct­ing trans­ac­tions and doing com­merce on mobile devices is push­ing more and more trans­ac­tions in that direc­tion,” says John Dan­cu, CEO of IDol­o­gy. And where the gen­er­al pop­u­lace goes, oppor­tunis­tic cyber crim­i­nals are sure to follow.

Almost two-thirds of Amer­i­can adults now use a smart­phone, up from about a third of adults four years ago, accord­ing to the Pew Research Cen­ter. McAfee Labs pre­dicts that by 2020, there will be 6.9 bil­lion smart­phone con­nec­tions, com­pared to 3.3 bil­lion in 2015.

Relat­ed sto­ry and video: As mobile bank­ing explodes, finan­cial insti­tu­tions beef up app

Smart­phones are all about con­ve­nience and func­tion­al­i­ty. By cram­ming more of both into the lat­est devices, device mak­ers and the phone com­pa­nies are cre­at­ing more attack vec­tors for cyber crim­i­nals to exploit.

And as the bad guys do so, this should put pres­sure on the com­mer­cial sec­tor to do some­thing about it, says Geoff Webb, vice pres­i­dent at authen­ti­ca­tion secu­ri­ty firm NetIQ. “Those two things are always in con­tention,” Webb says.

The tech­nol­o­gy factor

Smart­phones and tablets are not tied to a fixed loca­tion. Plus, they come in a wide vari­ety of cus­tomiz­able form fac­tors, each mod­el bristling with the lat­est sen­sor and data col­lec­tion capabilities.

These cool char­ac­ter­is­tics make them sig­nif­i­cant­ly more com­pli­cat­ed than desk­top PCs to pro­tect, says Bill Ander­son, chief prod­uct offi­cer Opti­o­Labs, a mobile secu­ri­ty vendor.

Con­sid­er that Anderson’s main mis­sion, when he was cut­ting his teeth devel­op­ing secu­ri­ty fea­tures for Black­ber­ry two decades ago, was to lock down smart­phone email. Now smart­phones have become as pow­er­ful as PCs.

Every gen­er­a­tion of smart­phones added more and more capa­bil­i­ties,” along with new poten­tial for exploits, Ander­son observes.

Keep­ing mobile devices updat­ed with secu­ri­ty patch­es is com­plex. “The infra­struc­ture isn’t designed or capa­ble of react­ing quick­ly to threats,” Ander­son says.

The recent Stage­fright exploit is a case in point. Stage­fright exposed 950 mil­lion Android phones to cor­rupt­ed video mes­sages car­ry­ing mali­cious codes. Google pushed out a patch quick­ly. Yet Ander­son esti­mates that only about half of the phones have been patched so far.

It takes time to cre­ate, test and deploy secu­ri­ty patch­es for mul­ti­ple oper­at­ing sys­tems on myr­i­ad hand­set mod­els. And then the carriers—Verizon, AT&T, T-Mobile and Sprint in the Unit­ed States and oth­ers internationally—don’t exact­ly rel­ish their part in the process.

The car­ri­ers are unwill­ing to dis­trib­ute it too often because they’re big patch­es that require a lot of band­width,” he says.

Crim­i­nal forces

The dis­cov­ery of fresh secu­ri­ty flaws in mobile oper­at­ing sys­tems, and the sub­se­quent patch­ing exer­cise, is fol­low­ing the same tra­jec­to­ry as what hap­pened with desk­top computing.

So it’s safe to say, there will be no short­age of fresh­ly dis­cov­ered mobile OS secu­ri­ty flaws going for­ward. In a recent analy­sis of 7 mil­lion mobile apps on Android and iOS plat­forms, Fire­Eye found a 188 per­cent increase in vul­ner­a­bil­i­ties since 2011 for Android and 262 per­cent for iOS.

The phone is a mass pock­et con­sumer plat­form,” Ander­son says, “and, unfor­tu­nate­ly, it is very easy to trick consumers.”

The expo­sure redou­bles when employ­ees take their mobile devices away from work premis­es and con­nect them to net­works out­side a company’s perime­ter defens­es. The devices can more eas­i­ly become infect­ed, and sub­se­quent­ly give an intrud­er access to a cor­po­rate net­work once the device returns inside the perimeter.

It’s a very flu­id sit­u­a­tion, and it opens all kinds of cre­ative avenues for fraud,” Ander­son says.

Mean­while, the bad guys aren’t hold­ing back. The IDol­o­gy sur­vey dis­cuss­es thriv­ing mobile-based attacks and fraud schemes such as:

• Port­ing. Use of a call cen­ter to “port” own­er­ship of a device to steal passwords.

ANI spoof­ing. Launch­ing a scam by mak­ing a call that seems to come from a victim’s phone number.

SMS inter­cept. Inter­cept­ing SMS text mes­sages to dis­rupt authen­ti­ca­tion and trans­ac­tion con­fir­ma­tion as part of hijack­ing online accounts.

Observes Webb: “The prob­lem is becom­ing more and more dif­fi­cult to deal with because we’re inter­act­ing remote­ly with more and more organizations.”

Con­verg­ing solutions

To be sure, tech secu­ri­ty ven­dors are hus­tling to give com­pa­nies inno­v­a­tive tech­ni­cal solu­tions. Gart­ner research direc­tor Lawrence Pin­gree cal­cu­lates glob­al spend­ing on secu­ri­ty hard­ware and soft­ware will con­tin­ue grow­ing at a robust 9 per­cent a year clip, top­ping $99.2 bil­lion by 2018.

A good chunk of that spend­ing will go direct­ly toward lock­ing down mobile com­put­ing. A lot of work is being done, for instance, to cre­ate more robust online cre­den­tials, such as fin­ger­print read­ers and oth­er bio­met­rics, says Lance Cot­trell, chief sci­en­tist of Ntre­pid Corp.’s Pas­sages secu­ri­ty con­sult­ing arm.

How­ev­er, Cot­trell notes “there’s a lot of iner­tia to over­come, a huge amount of infra­struc­ture built around the com­mon ways to do things.” It could be anoth­er 10 to 20 years before secure means of iden­ti­fi­ca­tion are in place, he says. And that won’t hap­pen with­out cre­at­ing oth­er problems.

The bad actors are not restrict­ed to only attack­ing in one way—so if you make that path more dif­fi­cult, they’re going to move to the next eas­i­est thing,” Cot­trell says.

This omnipresent, con­stant­ly shift­ing threat gives impe­tus to the insur­ance industry’s efforts to bring to mar­ket afford­able cyber lia­bil­i­ty poli­cies. Indeed, orga­ni­za­tions glob­al­ly are on track to spend $7.5 bil­lion on cyber insur­ance pre­mi­ums by 2020, tripling the $2.5 bil­lion spent in 2014, accord­ing to PricewaterhouseCoopers.

As tech­ni­cal solu­tions and insur­ance cov­er­age con­verge, com­pa­ny deci­sion-mak­ers will have more and bet­ter options to imple­ment risk mit­i­ga­tion strate­gies to fit the mobile com­put­ing landscape.

Com­pa­nies are look­ing to mit­i­gate the risks by insur­ing … and insur­ance com­pa­nies are look­ing at how to mea­sure secu­ri­ty in quan­ti­ta­tive ways,” Cot­trell says, adding that this is dri­ving a lot of new research.

Cot­trell, for one, believes the insur­ance indus­try could “force com­pa­nies to imple­ment solu­tions that real­ly work, rather than being compliance-based.”

More sto­ries on mobile com­put­ing and security:
Pri­va­cy fight looms over Ver­i­zon, AT&T track­ing of cell phone users
Mobile pay­ments get eas­i­er, but secu­ri­ty ques­tions remain
Face­book, Yahoo ease-of-use apps may open new secu­ri­ty holes