Security of Mobile Devices and IoT Has Been Disappointing


Posted on by Robert Ackerman

Change has long been constant in the cybersecurity arena, mostly for the better, but two developments have been a sizable headache for security—mobile computing and the Internet of Things. These technologies have made life better for individuals and companies but would be better still—much better, in fact—if their security were up to snuff.

 

Most adults in the world have a smartphone, often used for work as well as leisure, and they are constantly downloading apps and software that often isn’t secure or trustworthy. Theft of usernames and passwords for entry into bank accounts, for instance, is widespread.

 

Also in the mix are text messages, which may seem perfectly normal but could easily be from someone with malicious intent. There are even cases in which companies with bring your own device (BYOD) policies have stumbled on the security front, even though companies often provide data management software for installation on approved devices. Some employees don’t follow procedures, however, and, not infrequently, company-approved devices are lost or stolen and then penetrated by a cybercriminal.

 

Couple all this with the fact that smartphone users are overwhelmingly inclined to use their phones mostly outside the protected corporate network, and the results, predictably, are often devastating. Cybersecurity researchers at Proofpoint, for example, recently said they detected a 500 percent increase in attempted mobile malware attacks in the first few months of 2022.

 

Not to be outdone in security woes is the IoT, which empowers an enormous array of devices, including mechanical as well as digital machines, to connect with the Internet without human participation. The IoT is said to be still undergoing its “adolescence,” which means that cybersecurity isn’t deemed a priority. Most IoT devices provide minimal protection because security updates are scarce, and the devices are often accompanied by minimal firmware.

 

As an illustration, consider, for instance, a smart home. A garage door opener might have the added functionality of deactivating the home alarm upon entry—a convenience for homeowners entering their homes in a hurry. At this juncture, however, the entire active system could potentially be deactivated if the garage door opener is compromised. The point is that a broad range of connectable home devices, including TVs, home thermostats, door locks, and home alarms, create connection points for hackers to gain entry into an IoT ecosystem.

 

Again, the result is predictable. According to SAM Seamless Network, an Israeli network security company, more than one billion IoT attacks took place in 2021, up from 639 million in 2020. The situation is expected to continue worsening, despite a global semiconductor shortage. IOT Analytics, an IoT marketing expert, forecasts that the number of active endpoints will grow to about 27 billion in 2025, more than double the number in 2021.

 

To improve the situation, companies must change their ways, and a few are starting to do so. In many large organizations, the approach to cyber risk may differ by region, product, or business group. IoT is starting to force companies to reassess the current decentralized approach because it connects enterprises and their operations in unexpected ways; however, safeguarding the IoT is also complicated by IoT participation by third parties.

 

As a result, some leaders have begun implementing a broader cyber risk model, thereby raising standards for cyber risk enterprise-wide. If successful, the belief is that it could anticipate and prevent IoT-related cyberthreats before they take hold. 

 

For now, at least, more corporate leaders are focusing on AI-based and machine learning technologies to better process the vast amounts of data coming from monitoring security systems, including limited IoT security systems, to detect performance patterns that may signal a cyberattack.

 

To this end, here are some tips:

 

+ Determine where you will get AI tools. Some companies build their own automation, but more opt for using an AI vendor.

 

+ Choose an AI vendor wisely. Look at AI roadmaps and determine which is best for your company. Would you prefer to see more raw data, for instance, or more machine-learning-driven models providing more analysis and less data?

 

+ Ensure that your solution is adding value. Companies should continuously re-evaluate the effectiveness of third-party automation vendors. If the results aren’t compelling, business leaders should shop for another vendor.

 

Meanwhile, in the mobile phone world, tips to mitigate cyber breaches are also useful and simpler. Here are some of them:

 

+ Insist that employees who use a mobile device for work create strong passwords and a system to follow through on them. Weak passwords remain a persistent problem and contribute to most data breaches. Make sure employees use different passwords for different accounts.

 

+ Consider employing biometrics. Some companies think biometrics is more effective than traditional security methods. In biometric authentication, computer users use measurable biological characteristics, such as fingerprint or face recognition, for identification and access. Multiple biometric authentication models are now available on smartphones.

 

+ Beware of apps. Instruct employees about the need to sidestep suspicious apps outright, with the help of employer input.

 

+ Avoid public Wi-Fi. Educate employees about the dangers of using public Wi-Fi networks. These are vulnerable to hacker attacks. Use of all open Wi-Fi networks should be banned, regardless of convenience.


Contributors
Robert Ackerman

Founder/Managing Director, AllegisCyber, AllegisCyber Capital

Mobile & IoT Security

data security data loss prevention mobile security Internet of Things mobile device security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.


Share With Your Community

Related Blogs