All sectors perceive increased mobile and IoT risk
Please provide the information below to view the online Mobile Security Index Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
- 2024
- Introduction
- Modern work, enabled by mobile
- IoT—everything, everywhere, all at once
- IoT use is especially high in critical infrastructure sectors
- IoT security risks: Amplified in critical infrastructure sectors
- All sectors perceive increased mobile and IoT risk
- Breach risks and impacts are high, especially in critical infrastructure
- Shadow IT: A looming security challenge
- Emerging AI cyberthreats meet new AI defenses
- The disconnect between perceived and actual mobile security
- Critical infrastructure sectors have specific considerations
- Mobile security awareness and solution investments are rising
- IoT security is also making strides
- But IoT security gaps remain
- More to do. More that can be done.
- The call to arms: Move faster
- Appendices
- Contributors
- Download the full report
Since we launched this report seven years ago, we’ve seen the percentage of companies that suffered a mobile compromise trend steadily upward, from less than 30% in 2018 to more than half (53%) today. Some of this increase is related to the expanding attack surface. As mobile and IoT devices are embedded into all types of workflows, the sheer number of devices and apps that businesses rely on snowballs (as do the risks).
At the same time, alongside device numbers, awareness of mobile-specific security risks has also grown. Many people once thought that mobile devices were inherently more secure than desktop or laptop computers. Not anymore. A large majority of respondents (85%) now recognize that mobile device threats are on the rise, and more than half of those surveyed have experienced security incidents firsthand.
85%
of respondents say risks from mobile device threats have increased in the past year.
64%
believe they are at significant or extreme risk from mobile device threats.
51%
have experienced mobile app-related incidents from factors such as malware or unpatched vulnerabilities.
Awareness vs. real-world risks
For business users and consumers, 2023 was a record-breaking year for mobile threats. More zero-day vulnerabilities were discovered in iOS than ever before. The risky data collection policies used by popular apps such as TikTok and PinDuoDuo were on public display, while 75% of organizations experienced mobile phishing attempts targeting their employees.9
33%
of mobile phishing attacks against technology company employees in 2023 were successful.10
27%
of mobile phishing attacks against the financial sector succeeded.11
21%
of mobile phishing attacks targeting media and communications companies succeeded.12
In 2023, almost every iOS update that users were asked to install on their smartphones involved a security vulnerability.13
More than 260 iOS Common Vulnerabilities and Exposures (CVEs) were published in 2023. Because so many mobile device operating systems aren’t updated as often as they should be, the data and personal information stored on or accessible through them remain susceptible to exploits for extended periods of time. And the number of attacks that exploited vulnerabilities as the critical path to initiate a breach nearly tripled (a 180% increase) in 2023 compared to the prior year.14 Some of this growth is due to enormously successful widespread campaigns, such as the Cl0p ransomware gang’s exploitation of the MOVEit file transfer tool, which ultimately impacted millions of victims.15
Top Android vulnerabilities in 202316
CVE-2023-5217
A vulnerability in a video codex library used by Chrome, Firefox and Firefox Focus for Android.
CVE-2023-6345
A vulnerability in the 2D graphics engine for Google Chrome, Chrome OS, Android and Microsoft Edge.
CVE-2023-3019
A zero-day vulnerability in the V8 JavaScript engine of Chromium impacting versions of Google Chrome and Microsoft Edge mobile browsers.
CVE-2023-2033_2136
A group of vulnerabilities, some impacting Samsung devices and others affecting all Android devices.
CVE-2023-4863
A vulnerability in Chrome for Android’s WebP image format. A similar image processing vulnerability, BlastPass, has been exploited to deliver spyware.
Mobile and IoT security lags behind usage
Our ongoing reliance on mobile devices and rapid increase in IoT use generates opportunities for attackers to take advantage of key vulnerabilities, including as-yet-undiscovered zero-day attacks.
The vast majority of respondents (93%) express concern about mobile cybersecurity risks. Nonetheless, a minority (39%) have defined organizationwide IoT standards, and even fewer (37%) said their organizations centrally coordinate IoT projects.
Defining and adhering to cross-organizational standards is crucial to helping ensure IoT devices and sensors can keep up with evolving security and regulatory requirements. With enormous variability in device capabilities, use cases and risks, it’s important to set technical and non-technical standards for each IoT project across every business unit.
The National Institute of Standards and Technology (NIST) recommends baselining the following core technical capabilities:17
- Device identification
- Device configuration
- Data protection
- Logical access to interfaces
- Software updates
- Cybersecurity state awareness
NIST also recommends setting standards for nontechnical aspects of IoT projects, including:18
- Documentation
- Responding to queries
- Information sharing
- Education and awareness
87%
of respondents believe a security breach could severely impact the business’s operations.
39%
have defined IoT standards.
37%
centrally coordinate IoT projects.
Mobile phishing
Aaron Cockerill, Executive Vice President of Product & Security, Lookout
Data is the currency of modern enterprises. Establishing a strong data security strategy is not only a critical defense measure, but also a strategic business enabler.
In years past, organizations had dedicated private data centers, housing multiple servers, network equipment and storage devices. These setups not only presented scalability issues, but required continuous hardware and software upgrades to accommodate rising data needs. If not well maintained, this infrastructure is also highly susceptible to malware and vulnerability-based attacks.
Today, a majority of corporate data resides in the cloud across an increasing number of software-as-a-service (SaaS) and private apps. While this infrastructure is better maintained, making network bugs less of a concern, critical corporate data is also more widely distributed. This distribution presents other challenges, such as the risk of system misconfigurations, as sensitive data flows across an expanding set of apps.
With more corporate data residing in the cloud, we’re seeing a shift away from traditional malware and vulnerability attacks. Because cloud infrastructure is better maintained, the return on investment for traditional exploits has diminished. In response, threat actors have changed their Tactics, Techniques and Procedures (TTPs), to focus on leveraging social engineering, targeting a user’s mobile phone to steal credentials and impersonate users. With credentials in hand, they have immediate access to critical corporate infrastructure and sensitive data. We refer to this change in TTP strategy as the modern kill chain.
To illustrate, consider recent high-profile attacks: MGM Resorts, Caesars Entertainment and Twilio. In each instance, the threat actor group known as Scattered Spider used the phishing kit Oktapus to social engineer via mobile devices. In another example, the Lookout Threat Intel team discovered a similar phishing kit, CyptoChameleon that has been used by what was likely a different group of threat actors to target the FCC, Coinbase, Google, Microsoft and other organizations.
If a phishing attack is successful and a threat actor is able to get login credentials, the subsequent steps in the modern kill chain move rapidly. With direct access to an organization’s cloud infrastructure, the attack dwell time has gone from months to minutes. This also brings severe repercussions for individuals, who are at risk of identity theft, along with the organizations that are required to safeguard sensitive data. Defending against rapid modern attacks requires organizations to have clear visibility and automated response capabilities, both at the mobile endpoint and across their SaaS and private applications.
25%
of mobile users tapped on at least one phishing link every quarter in 2023.19
9 Lookout, Mobile Threat Landscape Report, 2023.
10 Akamai, The Increased Use of Mobile Devices Expands the Threat Landscape, 2023.
11 Ibid.
12 Ibid.
13 Ibid.
14 Verizon, Data Breach Investigations Report, 2024.
15 Ibid.
16 Lookout, Mobile Threat Landscape Report, 2023.
17 NIST, NIST Cybersecurity for IoT Program, Create a Profile Using the IoT Core Baseline and Non-Technical Baseline, 2020.
18 Ibid.
19 Lookout, Mobile Threat Landscape Report, 2023.