Powered by

Attackers are increasingly targeting your mobile devices, with phishing attacks as the leading attack vector. Aberdeen’s analysis helps to justify the priority that should be given to solutions designed for protection and remediation of these growing threats.

Attackers are targeting your enterprise endpoints —which increasingly means its many mobile devices.

Threats and vulnerabilities related to both the traditional endpoints (PCs, laptops) and mobile devices (smart phones, tablets) that are being used throughout your extended enterprise are relentlessly on the rise.

Even more important, however, from a risk-based perspective: Aberdeen’s analysis of confirmed data breaches by asset type shows that attackers have a higher success rate on endpoints than on servers—a pattern which is trending sharply worse (see Figure 1).Over the past three years, attacker success rates —i.e., confirmed data breaches (successes) as a percentage of investigated incidents (attempts) —for endpoints grew from 1.1-times higher to 4.5-times higher, as compared to the success rate for servers.

Figure 1: Analysis of Confirmed Data Breaches by Asset Type Shows that Attackers Have a Higher Success Rate on Endpoints than on Servers —A Pattern Which is Trending Sharply Worse.

Empirical Attacker Success Rate: Confirmed data breaches (successes) / Investigated incidents (attempts)
Source: Empirical data adapted from Verizon DBIR2018 (N = 4,020 incidents; 1,530 breaches), Verizon DBIR2019 (N = 3,667 incidents; 1,068 breaches), Verizon DBIR2020 (N = 16,242 incidents; 2,314 breaches); Aberdeen, October 2020

Phishing remains the leading attack vector. What’s the likelihood that a mobile phishing attack will succeed?

Attackers design phishing attacks to get users to click on malicious attachments or links or use pretexting to convince users to voluntarily give up information or take some inappropriate action—for example, by responding to an urgent request from an impersonated executive, business partner, or customer. In the Verizon DBIR datasets, almost all (>95%) confirmed data breaches have involved phishing or pretexting.

Email continues by far to be the most common mechanism for phishing attacks, although the use of social media and other methods in the attacker’s campaign toolbox (e.g., ads, browser extensions, freeware, instant messages, pop-ups) are on the rise. For all of these approaches, the common denominator is that fundamentally they are attacks on user behaviours—which helps to understand why mobile devices and mobile phishing attacks are increasingly in the crosshairs:

• • In the enterprise, mobile devices have been widely embraced in pursuit of initiatives for digital transformation, collaboration, productivity, and operational efficiency. This creates a culture of users making quick decisions, on devices where key information is often hidden (e.g., shortened web links) or not easy to access and view.
  • For enterprise users, access to corporate resources from mobile devices —at any time, from any location, over any network —is widely considered to be table stakes for convenience and productivity. This creates a technical challenge, not only for attacks on user behaviours but also at the network, device, and application level.

The technical details of mobile phishing attacks are clearly important for IT and information security professionals to understand, but ultimately, they must lead to effectively addressing the relevant risk-based questions of “how likely” and “how much impact.” For example, what’s the likelihood that a mobile phishing attack will result in a successful data breach?

To estimate the range of possible values for this essential question, Aberdeen developed a straightforward Monte Carlo analysis based on the best available estimates (on an aggregate, market-wide basis) for each of the following factors:

• • The percentage of enterprise devices that encounter a mobile phishing link: Between 0% and 100%, with a most likely value of about 16% (Source: Empirical data adapted from Lookout; January 2020)
  • The percentage of enterprise users that encounter a mobile phishing link, and click on that link: Between 0% and 100%, with a most likely value of about 33% (Source: Empirical data adapted from MobileIron / Zimperium; October 2020)
  • The percentage of phishing attacks that result in a successful data breach: Between 0% and 100%, with a most likely value of about 55% (Source: Adapted from Proofpoint; October 2020)

The result: Based on these inputs, Aberdeen’s quantitative analysis shows that for the market as a whole,  the likelihood of a mobile phishing attack resulting in a successful data breach ranges between 0.02% and 20%, with a median of about 2.3% (see the full exceedance curve in Figure 2).

Figure 2: The Likelihood of a Mobile Phishing Attack Resulting in a Successful Data Breach Ranges From0.02% to20% (Median: 2.3%)

Source: Monte Carlo analysis, based on empirical data adapted from Lookout, MobileIron / Zimperium, Proofpoint; Aberdeen, October 2020

What does this mean? Said another way, it means that although we can’t answer the question at hand with actuarial precision, we can estimate with 90% confidence that the likelihood of a mobile phishing attack resulting in a 5 successful data breach is within this range. Given the high frequency of mobile phishing attacks occurring, this analysis provides tremendous insight into business decisions about the priority that should be given to solutions designed to provide protection and remediation for these growing threats.

Combining “how likely” with “how much impact” —what’s the annualized risk of a data breach, as a result of mobile phishing attacks?

Building on the above, Aberdeen extended its quantitative analysis to include estimates for the impact (total cost) of a data breach. This aspect quickly leads to a bit more personalization, i.e., estimates for the total cost of a data breach can vary significantly based on enterprise-specific factors such as:

• • Industry; Geographic region
  • Company size (both revenue, and number of employees)
  • Total number of records (e.g., in a breach of a “crown jewels” database)
  • Total revenue generated from compromised data (e.g., in a breach involving “crown jewels” intellectual property)

As a specific example: Consider a global enterprise, in the private sector, with annual revenue between $1B and $10B, between 5K and 25K users, between 10M and 100M records in its crown jewels database, and between $100M and $1B in annual revenue from its crown jewels intellectual property.

Source: Monte Carlo analysis; Global enterprise, private sector, $1B to$10Bannual revenue, 5K to25K users, 10M to100M database records, $100Mto $1B annual revenue from IP; Aberdeen, October 2020

Based on these inputs, Aberdeen’s quantitative analysis (see Figure 3) shows that for this scenario the annualized risk of a data breach resulting from mobile phishing attacks has:

• • A median (i.e., 50% likely to exceed) value of about $1.7M
  • A “long tail” (i.e., 5% likely to exceed) value of about $90M

As always, the point of doing this kind of analysis is to help senior business leaders make a better-informed business decision about the risk of mobile phishing attacks, which technical details alone do not really address:

• • Does this exceedance curve—i.e., 50% likely to exceed $1.7M / year, and 5% likely to exceed $90M / year —represent a level of risk that the organization is currently willing accept?
  • From a different angle: Suppose the organization’s senior leadership team determines that their annualized appetite for risk of this nature is $10M. This analysis also provides the insight that the likelihood to exceed this threshold is about 22% —is that an acceptable risk?

If not, this kind of analysis also establishes a baseline for a classic “before vs. after” analysis, e.g., to quantify how an incremental investment in a mobile threat defense solution would reduce this risk to an acceptable level.

Explore Further: High-Level Solution Selection Criteria

As Aberdeen described in the research report “Zero Trust” for Enterprise Mobility: The Brakes That Help Your Users Go Faster(November 2019), its research has shown that mobile security solution categories which are consistent with the principles of zero trust—such as mobile threat defense, device monitoring and analytics, and adaptive access controls—are among the highest for net-new deployments:

• Mobile threat defense is designed to provide all mobile devices (regardless of ownership) that are authorized to access enterprise resources with protection, detection, and remediation from the large and growing landscape of mobile threats, vulnerabilities, and exploits. These capabilities can help to provide enterprise users with the desired access to enterprise resources from any device, at any time, from any location, over any network, and maintain visibility and control over enterprise resources —while also respecting user privacy and control over their own personal devices, apps, and data.

• Adaptive policies and controls are designed to replace traditional one-size-fits-all security policies in favor of dynamic, context-specific policies based on an intelligent, real-time assessment and analysis of risk factors such as:

1. 1. Device identity and current posture / health
   2. User identity and behaviors
   3. Application identities and behaviors
   4. Operational context (e.g., network, geolocation, time of day)

These capabilities can help to automate flexible, adaptive security policies and controls based on the current assessment of risk, including the level of assurance required for user authentication; frequency of user authentication and data synchronization; and for enterprise-owned devices, potential deactivation of selected features.

• • Conditional access is designed to enable the upside opportunities of higher user productivity, convenience, and ease of use by streamlining and fast-tracking access for typical, low-risk activities, while protecting against the downside of unknown / abnormal, higher-risk scenarios.

In addition to the above, readers may also want to consider the following high-level solution selection criteria for mobile threat defense:

• • Support for all the organization’s mobile devices (e.g., iOS, Android)
  • Designed to address not only attacks against user behaviors (e.g., phishing),but also attacks aimed at the network, device, or application level
  • Designed for easy and cost-effective deployment, with mechanisms for ensuring activation by 100% of users
  • Support for flexible deployment options (e.g., cloud-based, or on-premises)