Interview: Tom Davison, Technical Director EMEA, Lookout Mobile Security

According to recent statistics from Lookout Mobile Security, drawing on analysis of nearly 200 million mobile devices running Lookout’s security software, as many as 50% of Android users globally are running an out-of-date version of Chrome for Android.

However, if your company’s policy is not to push out updates due to app settings, are you leaving your employees at risk, especially in a year when they have become more reliant on mobile devices whilst working remotely?

Talking to Infosecurity, Tom Davison, technical director for EMEA at Lookout, made it clear: “We’re focusing on a vector that if you’re not updating, you’re at risk.” He admitted that Apple iOS users do see the benefits of a more secure device as “the majority of iOS devices update more quickly” and Apple is going out of its way to update the device more often than Android, as the latter has a more fragmented user base.

So are we in a situation where the phone is more secure than the PC, as it is more frequently updated? Davison said that is true, but we also see a lot of phones being resold and reused, and the challenge for enterprises is the adoption of BYOD policies where devices are being used that the company does not have the technology to support. This leads a company to roll out updates depending on what they can secure, and a process of “staggered updates” rather than deploying new fixes immediately. “This makes devices harder to manage and can expose you to further attacks,” he explained.

So after all of the experiences of 2020, how much has remote working affected the mobile security world? Davison said his conversations with customers found that there was investment in hardware – if it was not there previously – but people “were using all sorts of devices and those who were forward thinking had a strategy for different devices.” However, he said those who were less prepared “were caught on the back foot.”

He also acknowledged a rise in mobile phishing, especially in Q1, as the concerns around COVID-19 increased “and the mobile makes for an easier target” which placed a greater emphasis on protecting mobile devices.

In particular, the issue of mobile devices in the pharmaceutical industry is a concern, as Davison said that while usage is the same as in most enterprises, “there are differences in how much a company is targeted and pharmaceutical has risen because of its intellectual property, as there has been more  stories of targeted attacks as everyone is after a vaccine.”

“Staggered updates makes devices harder to manage and can expose you to further attacks”

Davison said that once an attacker has built the mechanisms to compromise someone, they package and change the “flavor” of the attack. He also said that this tactic is being used in unverified third party apps, and Lookout has seen a migration to target a specific group or vertical with tailored content as it is expensive to do an attack with a unique variant every time.

So has mobile phishing been the significant change in the state of mobile security in 2020? Davison said the increase in mobile phishing has occured “as people know the target” and there is a high success rate as users are trained to look at a message when it comes in via email, but it is harder to define on a mobile screen, and more messages are coming via SMS. “I also think phishing is happening via LinkedIn and WhatsApp, and they are all ways of coming in, and all ways to get to you.”

Davison pointed to recent statistics which show that 50% of recipients will still click on a link, and said that this is the problem “as most businesses use mobile device management and you can control what they [employees] are looking at, but not phishing.” He said these attacks happen regardless of which operating system you’re on, and you’re reliant on the end user to not click on the wrong thing, but people click anyway, and combined with a vulnerable platform, you have a dangerous mix.

This led Infosecurity to wonder, is the inherent security of a service like WhatsApp going to mean that an attacker is not going to be spotted? Davison said that a security department “has to be able to inspect the bad stuff” and if an attacker is able to compromise a user via WhatsApp, it is going to be hard to spot an attacker.

So what does 2021 look like in terms of mobile security? Davison said the idea of what we call modern endpoints will evolve, where there are curated app stores, while sandboxed code which is not run in the kernel, is the way forward. 

The mobile can be a blind spot outside of corporate email, but it can be a challenge to balance privacy of the user whilst filling those gaps. “The modern endpoint is here to stay and remote working will stick around for most of us, and the balance is also here to stay, and organizations who try to lock users down will fail as it creates shadow IT and resistance,” Davison said.

He concluded by saying that the business does need visibility and needs to know which versions of apps and operating systems are being used on devices connecting to the network. It also needs to make decisions on what is acceptable in the workplace. “The key thing is visibility on endpoints without invading privacy and controlling how employees access your data.”

Join Infosecurlty'’s live webinar, with speakers from OPSWAT, UK CSA and Convergence Group, on Thursday December 10 at 3pm GMT/10am EST, for a discussion on enabling mobile security in 2020. Register here.

What’s Hot on Infosecurity Magazine?