Increasing security risks in the age of applications

Increasing security risks in the age of applications

Lori MacVittie, Principal Threat Evangelist, F5 Networks, discusses why, despite education and a constant litany of reminders that security is everyone’s responsibility, not only is the corporate-consumer barrier being breached on a regular basis, but the most basic of security practices is being completely ignored when it comes to apps and passwords.

Today we find ourselves swiping through pages of apps on our phones as the phrase “there’s an app for that”, continues to become more of a reality than a simple marketing phrase. Whether it’s an app to watch TV, organise diaries, log exercise or play games, it’s hard to find an activity that there isn’t an app for. In fact, research shows the average person has over 80 apps installed on their phones. Furthermore, consumers are expected to download a staggering 258 billion mobile apps in 2022 alone.

Thanks to an insatiable appetite for data and visibility into consumer habits, most of those apps probably require an account. Whether it’s tied to a social media account or stand-alone, most apps encourage registration in order to access the most useful or interesting capabilities – like sharing what level of Candy Crush you’re stuck on today.

Those apps no doubt include social media. According to even more data (probably mined from the apps themselves), we had an average of 8.5 social media accounts in 2018. That’s nearly double the 4.8 average seen in 2014.

Now here’s where it gets interesting. The average number of email accounts per internet user was either 1.8 or 2.5 in 2018, depending on whether you cite data from Radicati or DMA, respectively. In either case, the number of email addresses per user is significantly lower than the number of social media accounts and apps used on a daily/monthly basis.

Which makes sense. Typically, we don’t maintain a one to one relationship between social media accounts and email addresses. We have grown as attached to our email addresses as we have our phones: the DMA research found that 51% of people have held the same email address for more than 10 years. Colour me unsurprised. I’ve held the same personal email address for more than 20 years, and my corporate address for almost 13 now.

You can imagine that those two email addresses are associated with way more than the average number of apps and social media accounts.

Also unsurprising is the number of times my personal email address has turned up on a list of addresses compromised by some information breach. It’s a lot. I suspect given the statistics that most people can say the same thing. And if we project out the nearly linear growth of social media accounts for four more years, it’s likely that number will grow along with the number of available targets.

Now, think about that and then consider these findings from password management vendor, LastPass:

  • 43% of the top 30 domains employees use are also popular consumer apps (think Dropbox, for example)
  • 50% of people do not create different passwords for personal and work accounts

If that’s troubling, wait – there’s more. The same research found that 6 passwords were shared by the average employee. That’s six passwords shared with co-workers.

Take a deep breath, security pro.

Despite education and a constant litany of reminders that security is everyone’s responsibility, not only is the corporate-consumer barrier being breached on a regular basis but the most basic of security practices is being completely ignored when it comes to apps and passwords. The Verizon Data Breach Investigations Report found that over 70% of employees reuse passwords at work.

That’s why it’s important for organisations to recognise and institute better protection of its own corporate assets. Corporate assets that are usually accessed by one of 2.5 email addresses. The use of multi-factor authentication (MFA) and instituting password complexity requirements are amongst the best defences against attackers easily brute forcing their way into lucrative sources of data. It’s also one of the best defences against the sharing of passwords because MFA goes one step further and requires an additional step – one that most co-workers can’t complete.

With every account that’s exposed, with every app that joins the corporate ranks, risk is increased. Risk from employees sharing passwords, risk from static email addresses with multiple passwords, and risk from attackers who know all these statistics and the best ways to exploit them.

MFA is not a panacea, but it is a good start on the road to addressing a risk that’s only going to continue to grow along with the number of apps on our phones and in use across personal and corporate domains.

Copyright Lyonsdown Limited 2021

Top Articles

RockYou2021 data leak: 8.4 billion passwords compromised

A report shows that 100GB of data which includes 8.4 billion passwords have been recently leaked on the internet, people are being encouraged to secure their accounts.

Hackers Breach Electronic Arts & Steal Game Code

Electronic Arts, one of the world's biggest video game publishers including games such as FIFA, Madden, Sims and Medal of Honor, are the latest company to be hacked.

JBS Foods paid £7.7m in ransom to REvil ransomware gang

JBS Foods, the world’s largest processor of beef and poultry products, has admitted to paying a ransom of $11 million to cyber criminals, a week after it announced that operations…

Related Articles

[s2Member-Login login_redirect=”” /]