Mobile Devices at Work: The Attack Surface Expands As Remote Workers Grow
Mobile Device & Web Browser Threats -2021
The increased use of mobile devices driven by the massive move to work-from-home models as the world continues to adapt and respond to the global pandemic has led to an uptick in mobile security threats.
CIOs, CISOs and their IT teams must be more diligent than ever to protect enterprise infrastructure, assets, applications, and data as increasingly sophisticated cyber criminals continue to take advantage of the moment.
Last year, we saw phishing attacks skyrocket as more people worked remotely, and did so on their smartphones, tablets, and laptops all outside the traditional corporate security perimeter.
The most common vector for attack, phishing is designed to enable bad actors to gain access to an employee’s credentials so they can attack the organization’s infrastructure by posing as that “approved” user.
CyberEdge 2020 reported based on its study of security incidents, some ninety percent of attacks were caused by successful phishing through the browser. Web threat isolation is a critical part of a robust Zero Trust mobile security posture, because cloud-based isolation obviates the idea of trust entirely.
The approach is simple and strong. Instead of establishing a trusted connection between the host and the Internet, the trust is between the Internet and the virtualized container (for example, DefensX’s remote browser isolation for mobile), which can be terminated or limited at will by the IT team, including the ability to place phishing sites into read-only mode to prevent credential theft.
Phishing sites frequently evade mobile web and email filters because of the inability of secure gateways to detect new phishing websites or categorize them properly. By isolating everything, end-users and their IT teams never have to worry about trying to anticipate the thousands of daily threats.
Moreover, phishing attacks are conducted not only through email campaigns. Traditionally SMS, iMessage, WhatsApp and similar messaging apps are heavily used to deliver lures to potential targets. Using smart phones for business makes it easier to click on a phishing link or visit a high-risk website. Any solution that does not cover mobile devices certainly will fall short in personal or enterprise security.
Zero Trust, Zero Touch
Organizations, including small and medium businesses, large global enterprises, government agencies, educational and healthcare institutions and others are moving rapidly to the Zero Trust model, where the network is always assumed to be dangerous. Zero Trust approaches also assume threats can be inside or outside the network, that no individual should be automatically trusted, that every device should be authenticated, authorized, and uses dynamic policies and multiple data streams. If Zero Trust is too complicated or expensive it will fail. Zero Touch brings software automation to the challenge, especially in the growing realm of mobile web and browser isolation.
Zero Trust, which has been evolving over the last decade, builds a foundation of practices that guide security professionals on how to secure a network that allows users to connect from everywhere.
Isolation is the latest in advancements in the Zero Trust sphere, addressing phishing and other mobile device, browser-based web application risks. There are many of technical approaches, with most requiring large upfront capital expense, IT staff training, end-user training and other complexities and related costs. A more flexibly implemented Internet isolation, available as a service via the cloud, accelerates the movement away from a traditional, centralized, perimeter-focused security model, is a pillar of a true zero trust architecture.
The fact is, using traditional methods to try and protect data from loss, leak, theft, and sabotage no longer fit into the “work from anywhere” mobile-first world. When life was simpler, CIOs, CISOs and IT teams and service providers identified sensitive data, classified that data, and set policies and rules to block access to that data and critical infrastructure. Data loss prevention software has been in place for the last few decades, but in a world where the number of devices and the amount of data has exponentially expanded, security leaders and teams cannot possibly know where all sensitive data lives, including in storage on third-party services driven by the “shadow IT” trend (business units or individuals, for example, using Slack instead of “mandated” productivity applications employees like less).
The switch here is fundamental: knowing that not every piece of data can be accounted for and protected, because collaboration and productivity today are in the hands of the end users and people outside the organization (consultants, partners, contractors and even customers), accepting this generational shift wishes to get work done in different ways is the first step to solving for the modern mobile conundrum.
While conventional data security is intended to stop data threats and mitigate risks, traditional approaches lead to data vulnerabilities by providing a false sense of data security. With work-from-everywhere on the rise, individuals will continue to use the tools they want to get work done, keeping the collaboration environment in a constant state of change.
2020 put an unprecedented strain on IT, operations, and security teams. Overnight, they were forced to accommodate work-from-everywhere, including the migration of tens of thousands of contact center agents, for example. These often “hidden heroes” of the pandemic response were suddenly on the hook to manage data risk beyond the perimeter and do it at scale.
How did they manage the shift? Successful transformations were rooted in the use of mobile devices, cloud, collaboration, speed, flexibility, and simplicity. These teams tackled new malicious apps, spyware, risks associated with public WIFI, lack of end-to-end encryption, lost or stolen devices and the widely reported massive phishing attacks now happening outside the traditional, physical perimeter.
Securing mobile devices in 2020 had to go way beyond simple virus protection software and continuing to support workers while protecting valuable data and infrastructure and continues to influence digital transformation investments and initiatives. Web threat isolation for mobile devices is the simplest way to defend against threat risk.