Warnings about phishing attacks are ubiquitous in enterprise cybersecurity awareness programs. Posters line government agency hallways warning users not to click strange links. Security teams include stories in agency newsletters warning of the risks associated with email messages from unknown senders. But unfortunately, experience consistently shows that these warnings simply aren’t effective enough, and that users will still click on links in phishing attack messages out of curiosity, ignorance or simple naivete.
But what does it mean for companies with scaling mobile environments that are transforming the way workflows are created, managed and executed?
In Verizon’s annual Data Breach Report released earlier this year, it’s clear that phishing attacks aren’t slowing down — in fact, they’re gaining traction — and that could spell trouble for enterprises focusing on a mobile-first or mobile-only environment.
What Is Phishing?
Put simply, phishing is the use of email messages to gain user trust, ultimately giving them an actionable item, such as clicking on a link that will in turn take them to a malicious site, steal sensitive information such as passwords or credit card information, and even potentially install malware on that device being used.
In the Verizon Data Breach Report, findings showed that email was still the top entry point for malware to be deployed, accounting for 96 percent of known attacks coming via inbox. Why is that so significant? Because mobile employees, regardless of BYOD, CYOD, COPE or COBO environments, are at the very least receiving emails to their smartphones or tablets.
Phishing Attacks Pose Danger to the Entire Company
Enterprise security teams have much to learn from this study. First, the security risk posed by phishing attacks is significant. One individual clicking a malicious link can single-handedly jeopardize the security of the entire organization. The results of this study show that the likelihood of a well-crafted message successfully generating clicks is very high. Users must understand the dangers posed by phishing and view every message they receive with caution. They must also understand that visiting malicious sites endangers the entire organization and may violate corporate security policy.
Phishing hasn’t become the one-stop-shop for malice, though. In fact, the report shows some good news: 78 percent of employees didn’t click a single phishing email all year, while just 4 percent did. Unfortunately, it only takes one person to open the floodgates via link, and the recidivism rate for first-time offenders who fall for follow-up phishing scams is extremely high, according to the report.
Additionally, the “see something, say something” technique doesn’t cross over to those who’ve been phished or had phishing attempts land in their “unread” column. According to the report, just 17 percent of those who recognized a phishing scam flagged the situation to their IT administrators. Mobile supervisors and security professionals on the IT team can’t stop a problem they don’t know about.
Malware Matures on Mobile
There’s a clear juxtaposition, however, when it comes to the difference between desktop and mobile phishing scams. In a recent report from Lookout, mobile phishing attacks have increased 85 percent every year between 2011 and 2016. Additionally, 56 percent of users tapped on a phishing URL via their mobile device.
So why the skyrocketing penetration attempts on mobile, compared to the slowing attacks for ordinary usage? Because mobile devices — smartphones, tablets, wearables — are exactly that: mobile. Sitting inside the company headquarters attached to a secure Wi-Fi connection enables security protocols to work at their zenith. The moment that mobile device’s user walks away and begins tapping into foreign connections — pineapples posing as hotel Wi-Fi, inadvertent hotspot connections, etc. — many mobile security features begin to fail.
That’s why a security protocol with baked-in, layered components that will protect the device regardless of connection is the first step in throwing those phish back into the water from which they came.
Samsung Knox provides a multilayered approach to mobile device security. Built into Samsung’s smartphones and tablets, Knox ensures that the integrity of the device cannot be undermined, with a secure vault for security certificates and encryption keys, and hardware-based security for remote access and wireless connections. These components deliver a trusted computing environment for enterprise data. The built-in Knox platform is complemented by a number of optional security products, including Knox Workspace, a containerization solution that allows IT to separate and secure enterprise data and applications on employees’ devices.
Even if a user clicks a malicious link, the attacker won’t be able to penetrate the secure zone and gain access to sensitive information. This multilayered approach helps to mitigate the risk of phishing attacks, in spite of employees’ almost uncontrollable urge to click those links.
Gaps in enterprise security can be devastating. Take our mobile security assessment to find out if your company is covered — and how you can stay ahead of the curve.