Considering the rapid rise in ransomware and other destructive attacks we’ve seen over the past six months alone, MWC Barcelona still doesn’t have the mobile security focus that it should.

Case in point: Eugene Kaspersky got about 10 minutes at the end of one keynote to talk about “cyber immunity.” That, and a few security-related panels over the course of the week-long event, sums up the mobile security focus — despite a slew of recent reports that suggest mobile security should be top of mind for operators. Verizon’s latest Data Breach Investigation Report, for example, found that ransomware appeared in 10% of breaches, more than double the frequency from last year, and said ransomware now ranks third among actions that cause data breaches.

Despite the lack of MWC lip service, new threat reports from Trend Micro, McAfee, and Menlo Security put security in sharp focus and illustrate the growing threats from malware, particularly ransomware, while also indicating that IoT devices and industrial systems are increasingly at risk for attacks.

Cyber criminals are increasingly shifting their focus from network attacks to industrial systems, Kaspersky warned in his MWC Barcelona keynote. “I’m afraid that it’s just a question of time when professional cyber criminals, these professional gangs, will switch to attacks on industrial systems, on Internet of Things, and critical infrastructure,” he said. “I’m afraid it’s coming.”

Kaspersky’s warning echoes a Trend Micro report, also released at the MWC event, that highlights the growing risk of downtime and sensitive data theft from ransomware attacks aimed at industrial facilities. The report found that Ryuk (20%), Nefilim (14.6%), Sodinokibi (13.5%) and LockBit (10.4%) variants accounted for more than half of industrial control system ransomware infections in 2020.

Additionally, threat actors are infecting industrial control system endpoints to mine for cryptocurrency using unpatched operating systems still vulnerable to EternalBlue, the NSA-developed exploit used in the 2017 WannaCry attack.

“The problem is that industrial environments tend to be awfully long lived and not very dynamic,” said William Malik, VP of infrastructure strategies at Trend Micro. “As an engineer, once you build a bridge, you watch it and you maintain it, but you’re not going to rebuild it.”

This holds true for industrial control systems as well, he added. “So, what that means is you tend to have very, very long-lived pieces of technology.”

The report provides several suggestions to make these systems more secure including closer cooperation between IT security and OT teams to identify key systems and dependencies and prompt software patching, which is easier said than done. Malik calls the latter, “my most irritating recommendation.”

“And the reason is: The amount of patching that has to go on is huge, and particularly when you’re talking about systems that are involved in industrial controls,” he said. “You can’t take something offline for half an hour to patch it.”

Additionally, most organizations don’t have redundant methods or duplicate gear in place to ensure that industrial control systems continue to work, uninterrupted, if a component fails or needs patching. “So if anything goes down, everything’s down,” Malik said. “Patching is a really hard problem in its own right, and add to the fact that many of these systems have to be continuously available.”

Because of this, Trend Micro also recommends network segmentation or virtual patching.

Additionally, the report urges OT teams to restrict network shares and enforce strong username and password combinations to prevent unauthorized access through credential brute forcing, and to apply principle of least privilege to OT network admins and operators. And it says to use an intrusion detection and prevention system to chart baseline normal network behavior to better spot suspicious activity.

“Those are really critical, but, you know, installing anti malware antivirus is kind of table stake,” Malik said. “If you’re not doing something like that, then it’s game over.”

In a related report, McAfee’s latest Mobile Threat Report, which surveyed more than 11,000 people in 11 countries, found that cybercriminals are still capitalizing on COVID-19-themed attacks.

By the fourth quarter of 2020, McAfee’s total mobile malware detected count hit 43 million with more than 3 million of these being new detections. According to the McAfee COVID-19 Dashboard, more than 90% of all pandemic-related malware took the form of Trojans. McAfee researchers found evidence of an SMS worm targeting Indian consumers, forming one of the earliest vaccine fraud campaigns. Both SMS and WhatsApp messages encouraged users to download a vaccine app, and once downloaded, malware sent itself to everyone in the user’s contact list via SMS or WhatsApp.

Additionally, McAfee Mobile Security detected a 141% increase in banking trojan activity between the third and fourth quarter of 2020. Most banking trojans are distributed via mechanisms such as phishing SMS messages to avoid Google’s screening process. During its research, McAfee discovered one such popular banking trojan, Brazilian Remote Access Tool Android (BRATA), that repeatedly managed to get onto the Google Play store and tricked thousands of users into downloads.

While these threats target consumers, they increasingly also pose a threat to businesses because COVID-19 and the resulting remote and hybrid work blurred the lines between corporate and consumer security, said Judith Bitterli, SVP of McAfee’s Consumer Business Group.

“There used to be a clear demarcation between business and home,” she said. “But with the pandemic, what happens in the household doesn’t stay in the household anymore. And a business is only as secure as the people who are contributing to the business.”

This means companies should understand what security protections and protocols their employees use at home, Bitterli added. “And not just to understand it, but to make sure that any bad things don’t end up in the business.”

For the 2021 report, McAfee surveyed more than 11,000 people across 11 counties. It found that 49% of U.S. consumers don’t use security on their mobile device, and 58% said they don’t feel secure on their device.

“And only one in three have a clear understanding of data stored in the device,” Bitterli said. “At the same time, over the last six months, mobile malware has grown 118%. So you have people working from home, using their mobile device — and it is an attack vector. Businesses and security companies have an opportunity to educate consumers and make sure that you know we’re protected.”

However, consumers aren’t the only ones struggling with mobile security. It turns out operators, CIOs, and CISOS are, too.

Another study by Trend Micro, in conjunction with GSMA Intelligence and based on two GSMA surveys, found that about half (48%) of operators lack the knowledge of tools to find and fix 5G security vulnerabilities. This figure comes from a GSMA Intelligence survey of 100 global operators. And this lack of security skillsets is a major problem because 5G private networks have a bigger attack surface compared to earlier versions and they connect more devices.

Additionally, 41% of operators still struggle with network virtualization vulnerabilities.

And while 85% of enterprise with IoT deployments have established a “security first” strategy, 15% haven’t, according to a GSMA’s other survey of 2,873 enterprises across 18 countries.

The Trend Micro-GSMA study follows a Menlo Security mobile threat report released right before MWC Barcelona that found half of the respondents (53%) said it’s just not possible to be prepared for all the tactics and strategies used by attackers targeting mobile devices. Additionally, 38% said that it’s impossible to keep up with the pace of these attacks.

The survey of more than 600 IT decision makers across the U.S., U.K., and Australia also found that 76% believe their organizations are more vulnerable to mobile cyberattacks than just a year ago, following the shift to remote and hybrid work environments.

“When you look at the mobile device threat piece, there’s two things,” said Mark Guntrip, senior director of cybersecurity strategy for Menlo Security. “The first is that if you look at a mobile device, it’s not just the same as your computer. You’ve got your text messages, you’ve got also got voice, and vishing — so phishing as a voicemail — and all these little avenues” in addition to email and web security, he explained. “There are all these other elements that are baked into a mobile device that could be used by an attacker to try steal data or to do whatever it is they’re trying to do.”

There’s also the way that developers build mobile applications, Guntrip said: “You don’t see the same amount of signs or signals that something might not be right.”

If users visit a web site from a laptop, they can look for “HTTPS” in the URL or a padlock symbol to indicate that they are communicating more securely over the internet, he explained. “But if you look on a mobile device, you don’t see any of that unless you really dig into it. So you’re more likely to fall for something that you might not have fallen for on a regular PC computer because you didn’t get those signals to say this looks suspicious.”

Menlo Security’s report also found that while users think mobile browser vulnerabilities happen more frequently compared to laptop vulnerabilities — two-thirds believe mobile browser vulnerabilities happen at least several times a week while a fifth believe they occur multiple times a day — only a quarter think their employees report vulnerabilities every time they occur.

According to Guntrip, a zero-trust security approach can help — and he argues zero-trust network access should be even a bigger requirement for mobile devices versus managed laptops. “I’ve heard many organizations where, on your laptop, you can access these 10 applications, but on your mobile device you get these three,” he said. “And we can actually make that distinction because I’m looking at what operating system you’re coming from.”

However, zero trust should be bi-directional, he added. “So you’ve got the zero-trust network access and protecting the data from the user, but we also believe it needs to go the other way as well,” and protect a user from downloading, say, a malicious file from Dropbox onto a mobile device. “This is where the isolation piece comes in,” Guntrip said, referring to Menlo Security’s isolation technology, which removes the viewing of email attachments and web browsing from the desktop or mobile device, and isolates this content in the cloud.

He points to the statistics that only 25% of organizations think employees report mobile browser vulnerabilities every time they occur. “But if you can then connect it back to corporate resources, then that’s a huge issue,” Guntrip said. “So as we look at zero trust, it very much needs to be bi-directional and it needs to be for your managed devices and your mobile and your unmanaged devices.”