Will The Next TalkTalk Breach Start On Mobile?

While data breaches continue to take over the headlines, what is often missing are the details on how attackers gained access into the organisation in the first place. Sometimes it’s fairly straightforward, such as the DDoS attack on TalkTalk. However, we don’t actually hear about most breaches because if customer data wasn’t compromised, companies aren’t mandated to share their stories. Forensics on data breaches can be murky at best, with companies unable to trace the root cause or unwilling to publicly share the details on where and how it all went sideways.

One area where businesses are expressing a particular concern is mobile. These devices know everything, have access to everything and seem to be everywhere, making them yet another targeted channel for a breach. We see evidence of this today: Security professionals say a mobile device was likely the root of a data breach in their organisation, according to a new survey of security experts conducted by the Ponemon Institute and Lookout.

Why is mobile a target for a broader cyber attack?

Consider the nature of mobile, which has many ‘attractive’ vectors that are easier to exploit than its PC counterpart. One example relies on the fact that mobile devices, even when corporate owned, are typically personal. As a result, users often have personal email on their devices and are more willing to connect to links or open attachments that they would not on their corporate PC. Phishing can come through a number of avenues on mobile. One is the classic email, another is through SMS messages, and the last is through apps made to look like well-known brands, but that instead trick people into giving over their information.

Here are further examples of mobile app-based risks:

What are the best practices for organisations using a lot of mobile devices?

Mobile isn’t just the future – it’s already here. Having the ability to do business on the go is becoming essential to productivity as well as employee satisfaction and retention.

Traditional approaches to mobile security have locked down devices instead of enabling productivity. When addressing mobile security, I urge companies to embrace the consumerisation of IT and avoid hampering the user experience.

If an organisation is already using a large number of mobile devices, then they’ve probably already figured out that a successful mobile security program delivers a consumer like user experience, embraces the mobile ecosystem (new apps and new ways of working) and enables flexibility. In addition, I always advocate for a defence and depth strategy:

1. Ensure devices are protected from malicious attack
2. Where possible, maintain device configuration using mobile device management
3. Provide connectivity through a segmented network dedicated to mobile devices.

The old approach to security doesn’t work anymore, and there isn’t a simple box which can sit on a server rack and protect the company. Security needs a technologically layered approach and involvement from top to bottom, with C-level leaders and education for employees. Organisations need to act now, ensuring they have visibility and protection, before it’s too late.

Gert-Jan Schenk is VP of Lookout EMEA

What do you know about Internet security? Find out with our quiz!