The latest iPass Mobile Security Report has been published. According to the responses, the biggest risk to enterprise security are the C-Suite, especially CEOs. They are key targets for hackers both inside and outside the office. There is also increasing concern over the use of public Wi-Fi with coffee shops now regarded as the most dangerous Wi-Fi locations. Unfortunately, the report also shows that concern is not always matched with action.
Commenting on the report Raghu Konka, vice president of engineering at iPass said: “The grim reality is that C-level executives are by far at the greatest risk of being hacked outside of the office. They are not your typical 9-5 office worker. They often work long hours, are rarely confined to the office, and have unrestricted access to the most sensitive company data imaginable.
“They represent a dangerous combination of being both highly valuable and highly available, therefore a prime target for any hacker. Cafés and coffee shops are everywhere and offer both convenience and comfort for mobile workers, who flock to these venues for the free high speed internet as much as for the the coffee. However, cafés invariably have lax security standards, meaning that anyone using these networks will be potentially vulnerable.”
iPass sees mobile security threats on the rise
Unsurprisingly the iPass report focused on the risks from mobile device security. On average 47% were very concerned with 46% being somewhat concerned by the threat mobile devices represent. Dig deeper into the numbers and some very interesting stats turn up. When looking at those who are most concerned the US (58%) tops the list. Meanwhile, the UK (60%) is somewhat concerned showing that either the UK doesn’t see the rise as being that high or IT teams believe they have it under control.
When it comes to the riskiest locations to use devices cafés and coffee shops (42%) come out top with airports (30%) next highest. Surprisingly hotels (16%) were a long way behind in third. The risk of public unprotected Wi-Fi in cafés and coffee shops has been an issue for some time. Despite this, too many people still use devices without any form of security at all. The fact that airports are rated above hotels is a surprise. What is not clear is whether this is about airport lounges where users do a lot of work or airports overall.
It takes very little effort to set-up a “free” Wi-Fi router at all these locations. Once setup users user will quickly connect to the devices. This allows a range of attacks and credential threats to take place. Hotspot spoofing concerns were highest in Germany (67%). These attacks make it possible to then launch other attacks such as man-in-the-middle where the hacker captures all the data that then flows from the user device to the Internet and back.
Surprisingly after years of security warnings the lack of encryption was the second highest concern. Another worry was insecure and unpatched mobile devices. While US (69%) respondents saw this as their second biggest concern, the UK (31%) is seemingly complacent about the threat. BYOD has created an environment where enterprise security teams have little control over the devices.
Public Wi-Fi banned but no detail on the use of VPNs
Having admitted that public Wi-Fi is a major threat, it might be reasonable to expect VPNs to be in use and public Wi-Fi discouraged. Not a chance. The report seems to have ignored the question of VPN technology by default on the devices. It would have been interesting had it done so. At a conference in the USA this week, it took just three minutes to get five people connected to a rogue hotspot. None of them were using VPN technology to connect to their offices.
Bans on public Wi-Fi are also variable and show the danger of confused policies. Only France (39%) said that public Wi-Fi was banned all the time. Meanwhile in Germany (43%) and the US (41%) public Wi-Fi was banned sometimes. What the conditions were for banning it was not explored or if it was, the reports authors chose to not make it public.
The UK, it seems, doesn’t give too hoots about the use of public Wi-Fi. 44% said there were no plans to ban it at all. Presumably this is either because enterprises don’t want to pay for an alternative or their cyber security is completely shot. Only 13% were willing to ban public Wi-Fi all the time.
C-Suite and CEOs are the greatest threat to the enterprise
It should come as no surprise that the C-Suite execs and CEOs in particular are major security targets. 40% of respondents put them as the highest risk group but concerns varied by country. In the UK (42%) and France (45%) it is senior management excluding the C-Suite (41% and 29% respectively) who are the biggest risk. In Germany (49%) and the US (40%) the C-Suite were well above all other groups.
Surprisingly there were limited concerns over interns and junior staff. No country rated them as a significant security risk. However, several reports over the last year have shown these are the staff members most likely to use Wi-Fi wherever they find it. They are also the most likely to be lax or unconcerned about cyber security when it comes to getting online almost at all costs.
This is an interesting report from iPass that shows some widely differing views country by country. It would have been helpful to have had details on what security measures were being imposed on users. For example asking about the use of VPNs when connecting to the office.
When looking at the responses by country it is clear that the UK has the worst security posture of all four countries. The report doesn’t speculate on or go into any detailed explanation of why this might be. What it does show is that cyber security is far from important to UK companies. With GDPR now under a year away, it seems that the UK is heading for a shocking wake-up call.