SPECIAL REPORT / The explosion in smartphone use is leaving businesses vulnerable to cyberattacks since almost half of their employees' mobile phones can become a target, according to new research.
The 2012 Cyber Security Risk Report – published by Hewlett-Packard at the recent RSA security conference in San Francisco – found that mobile phone vulnerabilities rose significantly (68%) from 2011 to 2012, mirroring the growth of mobile applications and the use of smartphones.
Of the mobile applications tested by HP, 48% of them were found to be vulnerable to unauthorised access.
The European Council and Parliament are to consider a Commission-proposed cybersecurity strategy in the coming months. In January, the EU opened a cybercrime centre as part of a broader strategy to encourage electronic commerce.
The HP report backed up other recent studies in finding that security risks faced by businesses and governments of all sizes are complicated and increasing and that anonymous “hacktivism” is on the rise.
The findings on mobile phone risks were most pronounced, however, reflecting growing concern on the issue, evident at the Mobile World Congress in Barcelona – the largest telecommunications sector conference – which took place last week.
Risk will rise as hyper-connection increases
“With the recent reports of attacks on Microsoft, Apple, Facebook and the New York Times, it further demonstrates that everyone is a target. Mobile devices have become a lucrative asset to hackers due to BYOD [‘Bring your own device’] unmanaged security,” said Itzhak Avraham, chief executive of the Israeli tech security company Zimperium.
“It is estimated that 81% of employees now use at least one mobile device for their work-related tasks. This trend exposes enterprises to a host of security risks which can’t be ignored, yet most organisations have not even begun to address these risks,” Avraham explained.
Mobile malware jumped up 185% last year, according to the report, exposing enterprises to mounting security risks on network and data.
“If even one infected mobile device connects to your enterprise network, it could jeopardise the security of the entire network and all data. You could end up compromising the network, leading perhaps to drastic network failures and, worse, loss of confidential and proprietary data,” Avraham added.
US financial companies disrupted
The risk of attackers seeking entry to corporate networks through their employees devices is likely to increase sharply as cities become increasingly connected and ‘big data’ becomes more widely used through the use of off-site storage, or cloud computing.
Arthur Coviello, head of strategy with US network and computer security company RSA, said all threats can be reduced to one of three things: intrusions on security, attempts to destroy a piece of critical infrastructure, and disruptions. He said that disruptions are on the rise.
“In the last several months, the financial services community in the US has been under assault in distributed ‘denial of services’ attacks, and I think this just the first wave in disruptive attacks,” said Coviello.
“As we create the internet of things, then it is going to be more facile to do attacks against critical infrastructure. When everything physical is tied back to the internet this is a very disturbing development,” Coviello told delegates at the San Francisco conference last week.
“Criminals will also look at ways to generate revenue from features only mobile devices have,” according to the latest Mobile security report from antivirus manufacturer McAfee.
Mobile payments pose new risks
One obvious example is mobile payments, a fast-growing sector.
At the Mobile World Congress in Barcelona, two key partnerships were announced in the mobile payments sector, pushing the issue to the forefront of industry strategy and suggesting such payments will become more prevalent over the next months.
South Korean electronics giant Samsung announced an agreement that will see it introduce Visa’s payment technology on its next generation of handsets, and Canadian handset maker BlackBerry announced its instant-messaging service, BBM, will have person-to-person payments added to its capabilities in a pilot.
“We anticipate more fraud-oriented malware in 2013. One likely innovative content swindle will abuse the tap-and-pay near field communications [NFC] technology used in mobile payment programs, or ‘digital wallets’,” according to the McAfee report.
“When the newly infected device is used to “tap and pay” for the next purchase, the scammer collects the details of the wallet account and secretly reuses these credentials to steal from the wallet,” it explained.
Fears about phones reflect European report
A report by the European Network and Information Security Agency (ENISA) published in January also said that cyberattackers are set to target smartphones and social media increasingly over the next year.
The ENISA Threat Landscape report provides an overview of risks, together with current and emerging trends, based on analysis of over 120 recent reports by the security industry, standardisation bodies and other institutions.
The report identified emerging threats for the next year, and claimed that mobile phones will come under increased risk, since communications over them is often less secure than conventional computer systems.
According to a recent Eurobarometer, Europeans remain very concerned about cyber security. 89% of internet users avoid disclosing personal information online, and 12% have already experienced online fraud.
The EU’s new European Cybercrime Centre (EC3), based in the Hague, opened in January 2013.
It will facilitate research and development, ensure capacity building among law enforcement, judges and prosecutors and will produce threat assessments, including trend analyses, forecasts and early warnings.
The Commission simultaneously launched an EU-wide cybersecurity strategy, which aims to establish cross-border cybersecurity rules and practices, and coordinated attack response.
- 2013: Council and Parliament to consider Commission's proposed cybersecurity strategy
EU official documents
- European Commission: EU Cybersecurity Strategy
- European Network and Information Security Agency: Report - Cyber incidents reporting in the EU (August 2012)
- European Network and Information Security Agency: Article 13a Working Group portal
- European Network and Information Security Agency: The Threat Landscape
- European Commission: A European Strategy for Internet Security