Increasing security risks in the age of applications

Increasing security risks in the age of applications

Lori MacVittie, Principal Threat Evangelist, F5 Networks, discusses why, despite education and a constant litany of reminders that security is everyone's responsibility, not only is the corporate-consumer barrier being breached on a regular basis, but the most basic of security practices is being completely ignored when it comes to apps and passwords.

Today we find ourselves swiping through pages of apps on our phones as the phrase "there's an app for that", continues to become more of a reality than a simple marketing phrase. Whether it’s an app to watch TV, organise diaries, log exercise or play games, it’s hard to find an activity that there isn’t an app for. In fact, research shows the average person has over 80 apps installed on their phones. Furthermore, consumers are expected to download a staggering 258 billion mobile apps in 2022 alone.

Thanks to an insatiable appetite for data and visibility into consumer habits, most of those apps probably require an account. Whether it's tied to a social media account or stand-alone, most apps encourage registration in order to access the most useful or interesting capabilities - like sharing what level of Candy Crush you're stuck on today.

Those apps no doubt include social media. According to even more data (probably mined from the apps themselves), we had an average of 8.5 social media accounts in 2018. That's nearly double the 4.8 average seen in 2014.

Now here's where it gets interesting. The average number of email accounts per internet user was either 1.8 or 2.5 in 2018, depending on whether you cite data from Radicati or DMA, respectively. In either case, the number of email addresses per user is significantly lower than the number of social media accounts and apps used on a daily/monthly basis.

Which makes sense. Typically, we don't maintain a one to one relationship between social media accounts and email addresses. We have grown as attached to our email addresses as we have our phones: the DMA research found that 51% of people have held the same email address for more than 10 years. Colour me unsurprised. I've held the same personal email address for more than 20 years, and my corporate address for almost 13 now.

You can imagine that those two email addresses are associated with way more than the average number of apps and social media accounts.

Also unsurprising is the number of times my personal email address has turned up on a list of addresses compromised by some information breach. It's a lot. I suspect given the statistics that most people can say the same thing. And if we project out the nearly linear growth of social media accounts for four more years, it's likely that number will grow along with the number of available targets.

Now, think about that and then consider these findings from password management vendor, LastPass:

  • 43% of the top 30 domains employees use are also popular consumer apps (think Dropbox, for example)
  • 50% of people do not create different passwords for personal and work accounts

If that's troubling, wait - there's more. The same research found that 6 passwords were shared by the average employee. That's six passwords shared with co-workers.

Take a deep breath, security pro.

Despite education and a constant litany of reminders that security is everyone's responsibility, not only is the corporate-consumer barrier being breached on a regular basis but the most basic of security practices is being completely ignored when it comes to apps and passwords. The Verizon Data Breach Investigations Report found that over 70% of employees reuse passwords at work.

That’s why it's important for organisations to recognise and institute better protection of its own corporate assets. Corporate assets that are usually accessed by one of 2.5 email addresses. The use of multi-factor authentication (MFA) and instituting password complexity requirements are amongst the best defences against attackers easily brute forcing their way into lucrative sources of data. It's also one of the best defences against the sharing of passwords because MFA goes one step further and requires an additional step - one that most co-workers can't complete.

With every account that's exposed, with every app that joins the corporate ranks, risk is increased. Risk from employees sharing passwords, risk from static email addresses with multiple passwords, and risk from attackers who know all these statistics and the best ways to exploit them.

MFA is not a panacea, but it is a good start on the road to addressing a risk that's only going to continue to grow along with the number of apps on our phones and in use across personal and corporate domains.

Copyright Lyonsdown Limited 2021

Top Articles

It’s time to upgrade the supply chain attack rule book

How can infosec professionals critically reassess how they detect and quickly prevent inevitable supply chain attacks?

Driving eCommerce growth across Africa

Fraud prevention company Forter has partnered with payments technology provider Flutterwave to drive eCommerce growth across Africa and beyond.

Over 500,000 Huawei phones found infected with Joker malware

The Joker malware infiltrated over 500,000 Huawei phones via ten apps using which the malware communicates with a command and control server.

Related Articles