Lest you think this is all much ado about nothing, in 2017, Verizon found that weak or stolen passwords were to blame for more than 80% of hacking-related breaches in businesses. From a mobile device in particular — where workers want to sign in quickly to apps, sites, and services — think about the risk to your organization's data if even just one person is sloppily typing in the same password they use for a company account into a prompt on a random retail site, chat app or message forum. Now combine that risk with the aforementioned risk of WiFi interference, multiple it by the total number of employees in your workplace, and think about the layers of likely exposure points that are rapidly adding up.
Perhaps most vexing of all, most people seem completely oblivious to their oversights in this area. In the Google and Harris Poll survey, 69% of respondents gave themselves an "A" or "B" at effectively protecting their online accounts, despite subsequent answers that indicated otherwise. Clearly, you can't trust a user's own risk assessment.
6. Mobile ad fraud
Mobile advertising generates mountains of dollars — a total that's likely to top $117 billion in 2021, even with pandemic-related slowdowns in spending, according to a recent projection by eMarketer. Cybercriminals follow the money, so it’s probably no surprise they’ve found ways to siphon cash from mobile ad revenue streams. Estimates on how much ad fraud costs vary, but Juniper Research projects a $100 billion loss per year by 2023.
Ad fraud can take several forms, but the most common is using malware to generate clicks on ads that appear to be from a real user using a legitimate app or website. So, for example, a user might download an app that offers a valid-seeming service like weather forecasting or messaging. In the background, though, that app generates fraudulent clicks on regular ads that appear. Publishers are typically paid by the number of ad clicks they generate, so mobile ad fraud steals from companies’ advertising budgets and can deprive publishers of revenue.
While advertisers and publishers may be the most obvious victims, though, ad fraud can harm mobile users, too. Ad fraud malware runs in the background and can slow a smartphone’s performance, drain its battery, lead to higher data charges, and cause overheating. Based on its own tracking data, security vendor Upstream estimates that smartphone users (or the companies paying the bills for their devices) lose millions of dollars each year as a direct result of higher data charges caused from mobile ad malware.
Android is by far the most popular platform for these types of problems, with devices on that operating system some 5.3 times more likely to have a vulnerable app installed than phones running iOS, according to Wandera. That doesn't mean the impact is inevitable.
As with so many things in the realm of mobile security, a little common sense goes a long way. Aside from maintaining policies that allow users to download apps only from a platform's official app store, employee education can emphasize basics like looking over an app's reviews along with its requested permissions and developer history to make sure everything about it seems kosher before installing it. From an IT perspective, monitoring data usage for unusual spikes can also help detect potential issues early on.
7. Cryptojacking attacks
Cryptojacking is a type of attack where someone uses a device to mine for cryptocurrency without the owner's knowledge. If all that sounds like a lot of technical mumbo-jumbo, just know this: Much like mobile ad fraud, the cryptomining process uses your company's devices for someone else's gain. It leans heavily on your technology to do its bidding — which means affected phones will probably experience poor battery life and could even suffer from damage due to overheating components.
While cryptojacking originated on the desktop, it saw a surge on mobile from late 2017 through the early part of 2018. Unwanted cryptocurrency mining made up a third of all attacks in the first half of 2018, according to a Skybox Security analysis, with a 70% increase in prominence during that time compared to the previous half-year period. Mobile-specific cryptojacking attacks absolutely exploded in the fall of 2017, when the number of mobile devices affected saw a 287% surge, according to a Wandera report.
Since then, things have cooled off somewhat, especially in the mobile domain — a move aided largely by the banning of cryptocurrency mining apps from both Apple's iOS App Store and the Android-associated Google Play Store a couple years ago. Still, security firms note that attacks continue to see some level of success via mobile websites (or even just rogue ads on mobile websites) and apps downloaded via unofficial third-party markets.
According to Verizon, cryptocurrency-related attacks are now accounting for about 2.5% of malware-related problems in the enterprise, with about 10% of companies reporting related security issues. Verizon speculates that the actual rate of incidents is higher, as many such attacks are not reported.
For now, there's no great answer — aside from selecting devices carefully and sticking with a policy that requires users to download apps only from a platform's official storefront, where the potential for cryptojacking code is markedly reduced.
8. Physical device breaches
Last but not least is something that seems especially silly but remains a disturbingly realistic threat: A lost or unattended device can be a major security risk, especially if it doesn't have a strong PIN or password and full data encryption.
For perspective, in a 2016 Ponemon study, 35% of professionals indicated their work devices had no mandated measures in place to secure accessible corporate data. Worse yet, nearly half of those surveyed said they had no password, PIN or biometric security guarding their devices — and about two-thirds said they didn't use encryption. Sixty-eight percent of respondents indicated they sometimes shared passwords across personal and work accounts accessed via their mobile devices.
Things have improved since then, by most measures. In its 2020 mobile threat landscape analysis, Wandera noted that 3% of devices used for work still had their lock screens disabled. Even more troubling, the risk of other threats was found to be significantly higher on devices where the virtual front gate wasn't properly secured. As we've thoroughly established, it takes only a small number of individual-user vulnerabilities to create a massive corporate headache.
The take-home message is simple: Leaving the responsibility in users' hands isn't enough. Don't make assumptions; make policies. You'll thank yourself later.