A few months ago, the largest U.S. pipeline operator, Colonial Pipeline, was forced to halt operations for nearly a week due to a ransomware attack. While it ultimately didn’t stop consumers from buying gasoline, the incident forced the company to pay $4.4 million in ransom payment and illustrated just how vulnerable energy organizations are to cyberattacks. Europe is in the midst of a major energy crisis, so it isn’t hard to imagine the already strained supply chain collapsing as a result of similar incidents.
Like most other verticals, the energy industry is going through a major digital transformation. Organizations are modernizing operations and shifting workloads to mobile devices and cloud applications. While this interconnectedness has streamlined operations, it has also exposed these businesses to additional risks. To help the energy industry react to evolving cyber threats, Lookout today published the 2021 Lookout Energy Industry Threat Report.
In the report, I write about how one in five energy employees have encountered a mobile phishing attack in the first half of 2021 — which is a 161% surge compared to the previous period. With mobile phishing being one of the easiest ways for an attacker to steal credentials and compromise an organization’s infrastructure, this is quite concerning. I also found that the energy industry encounters mobile app threats at twice the rate of other industries at nearly 8%.
To get a detailed breakdown of the findings, I recommend that you give the full report a read. In the meantime, here are some of the key findings:
Mobile phishing: simple but deadly
Mobile phishing is one of the most common ways for an attacker to enter your infrastructure. With stolen credentials, they can move around laterally within your organization and look for sensitive data or additional vulnerabilities.
The obvious remedy is to ensure that your organization has dedicated anti-phishing solutions that work no matter where your employees reside — something that has become an imperative as people continue to work from anywhere.
Education is the first step
But the first step is actually not purchasing additional tools, it’s training. Most of us think of phishing as desktop-focused attacks that are delivered via email. The reality is that mobile devices have become the primary target. With the ability to send phishing links through any mobile app that has a communications functionality, attackers now have countless channels to leverage. Your employees also need to realize that phishing attacks are a lot harder to spot on mobile than on desktop. With a smaller screen and simplified user interfaces, classic telltale signs are hidden.
Fool me twice, shame on me
How do I know that education works? The analyzed aggregated data in the Lookout Secure Web Gateway module informs our users every time they encounter a mobile phishing attack. We found that, of all the users who clicked on a phishing link, more than 50% stopped interacting with subsequent attacks. By the sixth time, only 5% of our users click on phishing links. This is a vast improvement!
However, 5% is still 5% too many encounters. Attackers only need one successful phishing attempt to find their way into your infrastructure. A good example of this was the 2020 Twitter breach, where a single spear phishing attack resulted in 130 high profile accounts being compromised.
Mobile app threats: malware is not the problem
In the Lookout Energy Threat Report, we also analyzed mobile app threats faced by energy organizations. I think a lot of us probably think of malware — specifically, really sophisticated ones like Pegasus, in which device can be compromised without the user ever interacting with the malware.
The data shows that it is actually the opposite. 95% of app threats come from risky apps and app vulnerabilities. Risky apps are apps that ask for unnecessary permissions and have poor data handling practices. Vulnerabilities are flaws in apps that attackers can exploit to compromise a device.
Many security teams may glance over mobile apps as they believe the mobile ecosystem is secure. The reality is that any app in your mobile fleet can have significant security and compliance ramifications, whether it’s the permissions they request, the SDKs they use or the vulnerabilities they carry.
Mobile must be part of any cybersecurity strategy
At the end of the day, energy organizations need to understand that the cybersecurity threat landscape has changed. Not only are users and endpoints more interconnected than ever, they are also prime financial targets for threat actors.
Mobile devices are at the forefront of the digital transformation, but they have also introduced new risks. To keep pace with the ever-evolving cybersecurity threat landscape, you must include mobile devices as part of your strategy.
As described in this blog, mobile phishing and app threats, while they may seem like small issues, will affect your organization greatly. To better understand the threats the energy industry is facing, download the full 2021 Lookout Energy Industry Threat Report.