Grasping the mobile surface continues to be a challenge for today’s enterprise security practitioners. As the number of devices in the enterprise continues to soar, the attack plain widening and new threats spreading and propagating almost daily, CISOs must be hyper-aware of their perimeter’s most vulnerable points.
Often, that could be the network’s endpoints. Outside of mobile devices – both bring your own device (BYOD) and corporate-issued ones – the internet of things (IoT) is also extending. This means electronics and other smart devices and appliances connected to the network are multiplying. The subsequent threat of distributed denial of service (DDoS) attacks is more of a reality, as is the ease with which an employee can be duped into a phishing scam (with one quick email link or instant message).
Phishing remains one of the toughest obstacles for today’s CISO, and the method continues to catalyze larger breach attempts.
The Cyber Security Hub’s January Market Report on Mobile Security, entitled “Patch Your Gaps: Identifying Mobile Security’s Challenges,” dives deep into the concept of phishing as it relates to mobile devices within the enterprise.
Phishing campaigns tend to be mobile mainstays, and they capitalize on human gullibility and can inflict serious damage on various endpoints once firmly planted.
In contributing to the report, ESG Global Research Senior Analyst Doug Cahill compared phishing scams to seeing the same movie over and over, for years on end. “Adversaries typically prey on human gullibility – on users that operate endpoint devices,” he said.
Cahill said despite the continued onslaught of phishing campaigns on a user’s inbox – right at their mobile keypad – there are many variants. He called phishing a “cross-channel” or “multi-vector” attack.
Cahill cited IM phishing as particularly destructive type of cyber duplicity. Instead of planting malware, IM scams aim to steal credentials and dupe users into showing them. Despite strong email filters and other defense methods, phishing remains an internal headache.
So, where are these efforts being focused? According to a new study from KnowBe4, small insurance companies have the highest percentage of phish-prone employees in the small to midsize organization category. Conversely, not-for-profit organizations are the most susceptible amid large enterprises. The study draws from 6 million users across 11,000 organizations.
Despite these targeted operations, there has been a drop in “careless clicking” – to just 13%, at 90 days after initial training and simulated phishing. Then, 12 months after phishing and computer-based training (CBT), that number decreased to 2%.
The numbers are encouraging, in terms of discernible communication within the enterprise – across departments and within the boardroom, too. Yet, 91% of successful breaches start with a spear phishing attack, according to the same study. So, while there have been advances in careless clicking rates, phishing continues to be an enterprise-wide blight that could result in the exposure of sensitive data records or financial information.
There are other ways to further reduce the mobile risk, said Denver Health CISO Randall Frietzsche, including limiting access, determining which endpoints should be admitted onto the network, and even containerizing apps so that potential rogue, third-party ones cannot root themselves on devices.