© Andrii Yalanskyi | Dreamstime.com
Padlock With @ Symbol

Lessons on Phones, Phishing, and Practical Cybersecurity

April 16, 2015
Verizon's 2015 Data Breach Investigation Report shows that mobile devices are barely on hackers' radar. But your inbox is.

As connected devices proliferate through the industry, we're constantly reminded of the threat our unprotected tablets and smartphones pose to the enterprise.

But it turns out mobile devices are the least of our concerns.

"We worked with the wireless side of the house here at Verizon to analyze malware to get some data on how often cellphones are getting infected," explained Stephen Brannon, principal, Verizon Cyber Intelligence Center.

"The answer is very, very rarely."

According to the report, less than 0.3% of mobile devices are infected with destructive malware each year—about 96% of which target Android OS.

"Across the board, there's a real lack of security breaches there," Brannon said. "It is just very, very rare for mobile devices to get infected by malware."

That is certainly good news for mobile users, but it's not exactly good news for cyber security in general.

"You shouldn't feel too good about this number," Brannon explained. "No one is hacking mobile devices because it is still much easier to get in through phishing."

That's right.

For all of the "doom and gloom," we hear of this cyberwar and all of the sophisticated tools at the hackers' disposal, a vast majority of the attacks are still coming in through phishing emails and infected attachments—the same techniques they have been using since the 1990s.

The report indicates that email attachments constituted about 40% of breaches in 2014 and an email link about 35%.

The numbers from there are astounding—about 23% of recipients of these phishing messages open the emails and about 11% click on the attachments.

The median time-to-first-click on those phishing campaigns comes in at just 1:22, and once they get in, about 75% of the attacks spread to another victim within one day.

What's worse, an insane majority of these attacks are almost completely preventable.

According to the DBIR, 97% of the exploited vulnerabilities these attacks target were compromised more than a year after remedies and patches had been created. Some of them had been solved as far back as 1999.

That is a sobering statistic. But it also provides us with a roadmap for prevention.

To read the full article, see Phones, Phishing, and Practical Cybersecurity: Lessons From 2015 Data Breach Investigation Report, which originally appeared on IndustryWeek, an Endeavor Business Media partner site.