The word on the street for the past few years has been that insecurities in the mobile world would lead to hacking, cracking and the loss of all sorts of data, and the cost will be in the billions of dollars. The entire online world will be at stake if the problem is not aggressively confronted.
The Verizon 2015 Data Breach Investigations Report, released this week, delivered a meta-message on those fears: Never mind.
The report found, according to CNET, that Apple’s iOS is essentially not being attacked “[b]eyond a few retooled Android exploits.” Most Android exploits are based on adware which, the story points out, is more annoying than dangerous. More than 90 percent of malware aimed at the Android OS that was found had a life that was shorter than a month, and 80 percent lasted for a week.
The reason for the relative safety of the mobile world, according to Verizon, is that comparatively little valuable information is stored on mobile devices and there are simply better things to steal on wired networks:
Add it up and mobile just doesn’t carry the dollar signs or glory that the desktop does. One reason is that smartphones and tablets don’t have a lot of data on them and rely on corporate connections for valuable information. But the big reason is that cybercriminals have other easier targets to hit.
Darlene Storm begins her story on the Verizon report with something that is rare in the world of mobile security: humor. She writes that 90 percent of security incidents are caused by PEBKAC and ID1OT errors. The letters in the first stand for “problem exists between keyboard and chair” and, well, take another look at the second if you didn’t get the joke the first time around. Those are apparently old jokes in the mobile security game.
Storm got serious, though, and pointed out findings that suggest virtually all – 99.9 percent – of exploited vulnerabilities were based on exploits that were more than a year old. In other words, programs aimed at mobile security must encompass old vulnerabilities. The article also says that 97 percent of exploits seen in 2014 were caused by 10 common vulnerabilities and exposures (CVEs). Targeting efforts at these will go a long way toward securing the platforms.
Another issue related to the PEBKAC was also pointed out in another new study. Aruba Networks says that many people tend to extend collaboration too far and leave their devices vulnerable. These are often younger folks, and more than half of them disobey security orders in an effort to accomplish a task and about 20 percent don’t password-protect their devices.
The lion’s share of these people aren’t ID1OTs. They are simply deciding that security is not as important to them. Unfortunately, though, the data at stake doesn’t belong to them. This finding is indirectly contradictory to the Verizon data. One says everything is fine, the other that there is a significant segment of workers not protecting data. It also is worth remembering that most of the culprits found in the Aruba study are young and will be trusted with increasingly more valuable data as their careers progress. Hopefully, they will grow up in terms of mobile security as time passes.
The Verizon report should be met with a certain amount of skepticism. Painting a bright picture – perhaps a bit brighter than reality warrants – serves the purposes of a carrier that makes its money based on its network being used.
If it is assumed that the findings are accurate, the prudent course is not to scale back efforts but to continue securing networks and the products that ride over them as aggressively as has been done in the past. In other words, if what has been done during the past few years is working, it would be folly to stop. This includes efforts to convince employees to protect devices used for work and the valuable data on them.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.