It’s no secret that mobile users are more likely to fall victim of phishing scams than users on desktop. That’s because most people have their mobile phones on them just about all the time, and are less likely to scrutinize messages sent through text or social media. Somehow, people are not as suspicious of short texts as they are of emails, and can be more ambivalent about mobile data security.
Yet, according to Wandera, the huge amount of personal and corporate data on mobile devices, makes these devices prime candidates for phishing attacks. On mobile, users can’t hover over hyperlinks to show the destination.
Traditionally, enterprises have used firewalls, secure email gateways, antivirus, and user education to protect employees from phishing attacks.
However, on mobile, attackers are finding new ways to side step routine phishing protections and trick users into handing over sensitive information or downloading malicious apps.
At the same time, by targeting personal email accounts attackers are able to implement corporate phishing attacks because they know personal email is an easier nut to crack than corporate email. They also know that both of these accounts are present on the one mobile device.
Notifiable data breaches
News of continued notifiable data breaches should remind enterprises of their need to strengthen the effectiveness of their mobile data security. Where breaches or potential breaches occur, it’s important for businesses to get on the front foot right away.
For example, in December, AFL team Hawthorn had to alert its fans – along with the Office of the Australian Information Commissioner (OAIC) – that a staff member's computer had been stolen. While the computer was password protected, it contained a spreadsheet of member data including name, member ID, street address, contact phone numbers, email address and date of birth.
With the potential for this data to become publicly available, the Hawks went on the front foot to remind fans to be hyper aware of potential phishing scams.
Also, in December, media company Nova Entertainment notified OAIC that information it collected from listeners from May 2009 to October 2011 had been publicly disclosed.
In this case, the data included names, gender, dates of birth, addresses, emails and phone numbers and user account details such as user names and passwords protected by the hashing security technique.
In line with best practices, Nova encouraged those listeners affected to change their passwords for their accounts using the same email address, username or password.
As Nova and the Hawks take the necessary steps to strengthen the effectiveness of their cyber security provisions, it’s important to understand that your employees’ mobile devices have the potential to be hacked and you need to instigate mobile security awareness training. It’s absolutely critical to do everything you can to prevent customer and employee data falling into the wrong hands.
GDPR violations rife
Elsewhere, I’m sure you saw the headlines last month about the record €50 million (AU$79.2 million) fine Google copped for breaching the EU's GDPR. The fine was sparked by complaints accusing Google of forcing users to agree to new privacy policies.
Google was found to have violated EU law in two ways:
- A lack of transparency and information
- Not having a legal basis to process user data for personalized advertisements.
Of course, it’s not just Google. There is a rash of complaints against the who’s who of technology giants – including Amazon, Apple, Netflix and Spotify. The firms are accused of being in violation of Article 15 of GDPR, which requires them to respond to private citizen's data requests.
In the UK alone, research from cloud data firm Talend suggests as many as 3 in 4 organisations over there are in breach of their GDPR obligations. These companies are failing to adequately address requests from individuals seeking to get hold of their personal data within the one-month specified time period.
So, with Google business model under threat, and businesses needing to do so much more to meet their GDPR obligations, every enterprise needs to strengthen mobile data security and watch this space.