There is no question that mobile devices are mainstream access and productivity tools for most enterprise users. Indeed, in some organizations, smartphones surpass traditional PCs as the preferred way to access back-end corporate applications such as ERP. SFA and CRM. In fact, no major enterprise application vendor offers a PC-only-based solution anymore. Companies like IBM, Oracle, SAP, VMware, Microsoft, Citrix and Salesforce have ported most of their functionality for access with mobile clients. But as much as mobile has become a mainstream productivity tool, it also has a darker side – it’s now become a primary vector for security breaches.
How significant a security threat is mobile? The 2019 Verizon Mobile Security Index showed an increase from 27 percent in 2017 to 33 percent in 2019 in reported mobile incidents. However, it’s highly likely that the number of security incidents is even greater, given the lack of full visibility many organizations have when it comes to security breaches and how they infiltrated into company.
Various studies have shown that security beaches can take from three-to-six months or more to be discovered in many organizations, with the ensuing time being used by bad actors to inflict continuous harm.
Endpoint security breaches were once the exclusive domain of the PC, but not so anymore. Although many of the high-profile attacks against organizations (e.g., ransomeware) have been committed against PCs, Lookout Mobile found that 48 percent of sophisticated cyber actors identified in the past year had tools for both PC and mobile exploitation. And in the 2018 Cost of a Data Breach Study by Ponemon Institute, the average cost of a data breach in the United States was $3.86 million, with a cost of $148 per lost record (e.g., personally identifiable information like name, address, email, passwords, Social Security number, etc.).
There are many mobile attack vectors, from malicious downloaded apps, to lost devices without data encryption and/or password protection, to data interception on unsecured networks. Indeed, the last vector, data interception, is a serious problem for anyone using a public connection, for example a public Wi-Fi access point in a coffee shop or hotel. The degree of difficulty for a man-in-the-middle attack where the Wi-Fi access point traffic is diverted to a rogue device and all data inspected/intercepted is pretty small, especially in the vast majority of Wi-Fi networks that are still on older (e.g., 802.11g, 802.11n) technology.
While convenient and often free, these access points are a significant exposure for sensitive data users. In fact, some companies with very sensitive data such as in highly regulated industries have banned users from accessing public Wi-Fi networks due to this risk. And while newer versions like 802.11ac and Wi-Fi 6 add many security features and make it much more secure to connect, there are still few 802.11ac or Wi-Fi 6 equipped public access points and I expect it to be at least several years before much of this equipment is upgraded.
Connectivity over the cellular network is still a relatively small percentage of enterprise mobile connectivity from a PC, but most smartphones rely on cellular for connectivity. Early versions of the cellular network were prone to interception. With 2G it was possible to intercept the audio from phone calls that was transmitted in the clear over the radio network by simply listening to the radio signal.
With 3G, calls went to digital signals and were encrypted, but many of the control signals that were associated with the network interacting with the devices were sent in the clear. These could still to be intercepted and/or modified.
4G LTE fixed that issue, as it encrypts both the data (voice or digital data) and the signaling between the device and the network as well as implementing stronger encryption and mutual device and network authentication to prevent rogue interception and/or diversion. While it’s hard to determine an exact number, I estimate that 4G cellular is many times more secure than the old versions of public Wi-Fi that companies may still have installed and that employees still use regularly in public places.
5G improves on the security models inherent in the previous networks. 5G requires that all signaling traffic be encrypted and use advanced encryption algorithms and secure keys, to prevent interception and/or modifications. 5G also includes a secure identity management capability that can verify both the device and the network to each other, to prevent cloning of devices and rogue network connections/interceptions. This also adds a layer of privacy that has advanced from previous versions of cellular systems.
5G also adds a condition that network equipment implements security requirements through its design and lifecycle. And, finally, due to an improved network core that’s built on network function virtualization (NFV), the network itself in less susceptible to having cyber attacks and infiltrations.
Mobile users will automatically gain the inherent security benefits of the modern cellular network, assuming they don’t connect via the Wi-Fi capability built into most smartphones. But many companies are hesitant to let PC users equip their machines with cellular modems due to the perceived high costs of a data plan. Yet with so many data breaches occurring, particularly susceptible over public networks, is the cost per user really that burdensome given the vastly increased security available from the modern cellular networks? Further, the cost of a data plan from most network operators has dropped substantially over the past two to three years, and many companies are now able to include them in their traditional cellular contract negotiations for smartphone connectivity.
Bottom line: Organizations should not shy away from allowing widespread use of mobile devices as they provide clear advantages. But they must be fully protected and secured against the growing number of malicious attacks from bad actors.
Modern smartphone access can cause dramatic information leakage and security breaches that just two or three years ago would have been unheard of. Companies should be wary of allowing any device, whether smartphone or PC, to connect over commonly available and easily compromised public Wi-Fi networks.
Companies would be much better-served to equip all devices (including PCs) with cellular connectivity to avoid a major attack vector and protect against a very costly data breach. Finally, 5G will significantly enhance security and limit data breaches for most endpoints, including both smartphones and PCs (and other endpoints as needed).