We recently took a look back at our Predictions for Mobile in 2015, looking at how our predictions panned out for the year. Overall, we saw a marked shift toward understanding the complexities of how people and endpoint devices put data at risk. As a new year approaches, we expect that organizations will continue to face data security challenges with the endpoint as one of the greatest threats to corporate data.
The average employee makes use of at least three devices for work, which is on an upward trend, and these devices are more interconnected than ever before. Employees now expect to be able to do work on any of their devices at any time or place of their choosing, picking up work on one device that was started on another. Data is flowing through the cloud, through email, between apps and devices. With so many endpoints connecting to the corporate network, or accessing corporate data, organizations face the challenge of protecting vast numbers of access points that extend beyond the corporate network, with each device as a potential point of ingress for cyber criminals. Currently, as many as 36% of cyber security incidents can be tied back to attacks on mobile devices. Executives believe, and we agree, that the risks associated with malware and data breaches are likely to get worse because of BYOD and the increased use of the cloud, as the attack surface increases unchecked by security solutions.
When we say that the attack surface is growing, it’s not just about the data stored on each device. Although that data is put at risk if the device is lost, stolen or compromised through cyber attack, each device is more than the sum of its data. Devices that connect to the corporate network put security credentials at risk. Email archives and contact lists provide fodder for phishing schemes, which are the core of more cyber exploits used to gain exploitable credentials. Saved passwords, often shared between apps and possibly the network, directly compromise corporate network security. Attackers merely need to penetrate a device (through malware or theft) and continue their march toward the inside of the network.
Right now, many organizations overlook basic protections for mobile devices, whether it be password enforcement, multi-factor authentication, or access controls. A recent survey found that 23% of organizations don’t lock out mobile access after repeated failed sign-ons, for example, leaving organizations open to brute-force attacks. Given the growing number of security incidents originating on the endpoint, it’s time to prioritize the endpoint.
Shadow IT, the use of technology systems and solutions without the explicit approval of the organization, is on the rise. Employees and departments, keen to improve productivity, are actively embracing apps and technologies, without explicit approval. And it’s happening more than you know. In the UK, nearly 60% of employees are using devices for work that are entirely unmanaged by IT. In the US, 53% of organizations lack a formal BYOD policy, let alone processes and technologies to manage these devices. Shadow IT is not a new term; BYOD policies are simply one way to address the unsanctioned use of IT (Shadow IT). Shadow IT is not just about devices, either, but also how they are used. Currently, as much as 86% of cloud applications in use in organizations are unsanctioned; the driver behind cloud use is often to facilitate working across multiple devices. Shadow IT is growing rapidly, so increasing visibility is the key to shining the light on more devices and how they are being used.
It’s now recognized that people are the root cause of most data breaches, as many as 90% of all breaches in fact, either inadvertently or maliciously putting data at risk. With the growth in mobile and cloud use (which together multiply the risk of an expensive data breach), there are now more ways than ever that employees, vendors, or partners could inadvertently put corporate data at risk. It’s been shown that 70% of cyberattacks are not sophisticated, relying instead on a combination of phishing and hacking. The fact that phishing continues to be an ongoing issue demonstrates that people are weakest link in corporate security.
Many organizations assume that as the younger Millennial generation becomes more visible in the workforce, many of these ‘people’ issues will go away. Unfortunately, it has been proven that these ‘digital natives’ are not necessarily tech savvy, and in fact may be more likely to choose the easy (and insecure) route to solving their problems.
One of the biggest shifts we've seen in the past year is the understanding that C-Suite executives and Board member involvement in security planning can have one of the largest impacts on preventing data breaches as well as responding to them. Cyber risk is now being viewed as a business issue, and effective security leadership has been proven effective at translating awareness and security prevention. With the growth in endpoint security risks, we expect to see more organizations take on awareness campaigns on mobile data use.
While organizations are expanding their security beyond encryption andanti-virus software, security infrastructure has been evolving to embrace big data models that go beyond the single solution concept. Each of these deployed solutions generates critical data that can help organizations better understand the threats they face. Through security incident and event management (SIEM) integration, organizations can analyze large groups of data sets in a greater, holistic context. It will become increasingly necessary for organizations to leverage these advanced analytics in order to form a better understanding of attack origins and behaviour patterns.
In 2015, we saw more data breaches and larger data breaches than ever before, with more than 176 million records exposed. Rather than focusing on the overwhelming expansion of the attack surface thanks to mobility and the cloud, organizations that focus on a data-centric approach to data security will have the greatest effectiveness in protecting data. Defending against the threats to data in 2016, many of which revolve around “people” and increased mobility, requires a defense-in-depth strategy, one that involves layers of security, automated monitoring, rapid detection and containment procedures, coupled with effective top-down security awareness and policies.
We hope these predictions will prove helpful in your security planning. As with all trends, it’s important to perform regular risk assessments to identify and address the specific vulnerabilities of your organization.
Absolute Data & Device Security (DDS) allows organisations to persistently track and secure all of their endpoints within a single cloud-based console. Computers and ultra-portable devices such as netbooks, tablets, and smart phones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced. As mobility continues to expand the attack surface, Absolute DDS provides a persistent endpoint security solution that can automatically alert IT, or immediately lock down data, if that data may be at risk. Learn more here.