Some call it "feedback." Some call it "the postmortem." Everyone knows what it is — that time at the end of a project or period where you take input, review performance, and ultimately improve your plans for next time. And, if we're going to do a postmortem of 2016 and data security, the answer is pretty obvious: Mobile device security needs a whole lot of work.
Not only have we seen the sharp growth of new hacks and vulnerabilities (some still without resolution), but surveys reveal deficiencies in mobile strategies across American industries. A Tech Pro Research survey of cybersecurity threats reported that 45% of respondents viewed mobile devices as the primary weak spot of their business security. Combine that with the continued proliferation of mobile activities – ComScore has 68% of people currently spending their "digital time" on mobile devices – and we have a whole warehouse worth of powder kegs, waiting to go off.
So: Let's take a deep breath, and look at the year in review. It may not be pretty, but it can sure teach us a lot...and help us prepare for round 2 in 2017.
A Year of Hacks: 2016
Look, no one here has the time to go through every data breach in 2016. Frankly, there were just too many – even if we narrowed it down to only the major companies. Instead, let's put things in perspective by talking about the vulnerabilities discovered in the past year. First we had Quadrooter, which was actually 4 key flaws out of 36 total vulnerabilities found on Qualcomm chips for Android devices – allowing hackers to access protected data with carefully crafted malware. Then we had the "zero-day" problems with iPhones, where a trio of vulnerabilities called Trident were combined into devious malware called Pegasus, which has been used for things like state-sponsored hacking, much to Apple's dismay.
Let's also not forget Rowhammer, which attacks specific hardware in LG, Samsung, and Motorola phones to bypass permissions – a vulnerability with no clear solution that has already been used to gain root access to phones, including those with ARM chips. Speaking of hardware, it looks like today's advanced pacemakers can be hacked and controlled remotely, a problem currently embroiled in a tangle of lawsuits.
We even found out that incredibly popular apps like Pokemon Go (which are doubtless installed on BYOD devices around the world right now) have iPhone vulnerabilities that – accidentally, it seems – allow access to all sent and recent emails, all Google Drive documents, all search histories, private photos, and much more. Fun stuff!
Time for Good News
These vulnerabilities have not gone unnoticed. 2016 may have been harsh – and cost companies a lot of cash in data breach disasters – but now mobile device manufacturers and companies across the globe are aware that their phones just aren't safe. Egos have been crushed, respect has been lost, security strategies have fallen apart...and we've all learned incredibly valuable lessons. Now it's time to apply those lessons to 2017 and usher in a new age of mobile security the right way.
We'll also point out that, despite fears raised by vulnerabilities, additional Tech Pro Research has shown that only 12% of companies have been struck by a security breach. That's not great, but those numbers could look a lot worse. In other words, we've got time to prepare.
Our Mobile Recommendations for 2017
- Specify BYOD: This is the last time to be vague about your BYOD policy. No hand-waving or procrastination allowed here – lay out your BYOD policy in concrete terms, create firm guidelines, and create a plan to enforce them. Allocate whatever resources you need.
- Educate employees: Employees can help keep your company data safe, but only if they want to and know how to do it. That means robust security education for all employees, tailored to their positions if necessary. You need to communicate why vulnerabilities are dangerous, and how everyday mobile activities can open up a path to data breaches. Meanwhile, lay off policies that interfere with private data.
- Develop an EMM (Enterprise Mobility Management) strategy: A full EMM strategy to integrate your security across all devices. It covers access, applications, education storage, and more. If you want to prevent surprises, a wide-net strategy like this is your best option.
The EMM Solution for the Future
Speaking of EMM, let's dig deeper. A July 2016 report from Secure Group showed that one of the biggest reasons mobile devices are hacked is because of user behavior — people either lose their phones, get phones stolen, or completely ignore security activities like updating apps and the OS (even when told to do so).
We can't exactly stop human error: No one's written the code for that yet. Employee training can only do so much. But what we can do is pull back from weak points, and that means entrusting less data to mobile storage. Security solutions like MDM frequently rely too much on the device itself and drastic measures like remote wiping — which only work if employees report the loss in time, and if no one has turned off device Wi-Fi. It's not a great strategy, because it doesn't remove the inherent problem.
We prefer an EMM solution like Avast VMP that moves data into a virtualized environment instead. Virtualization helps solve this little EMM pitfall by entrusting less (or no) data to physical storage on mobile devices. Instead, data is kept on servers and only accessed by phones when necessary. You can learn more about how this solution works here.
2016 showed us that mobile security is...challenging, to put it lightly. It also showed us that companies aren't ready to meet that challenge — at least, not yet.
Our goal for 2017 should be to normalize robust, effective mobile security so that it becomes an accepted part of the budget, strategy, attitude and discussion. And considering how many vulnerabilities were discovered in 2016, sooner would be better than later.