Tags: Zimperium

SJA Exclusive: How remote work expanded the modern attack surface

Person on mobile device - remote work and work from home

Share this content

Ash Patel, General Manager for EMEA, Zimperium discusses protecting an organization’s data and information in an age of remote working.

Remote work arrived with a bang. After international lockdowns in early 2020, millions of people were forced into their homes to help staunch the spread of COVID-19. Mass remote work came as a necessity for businesses to survive and operate under trying circumstances.

Only a few years later, remote work remains a fixture of modern business and has become formalized across many sectors. In doing so, it has fundamentally disrupted the security structures that once characterized enterprise security and broadened the attack surface from the office to everywhere and anywhere that employees access corporate data.

Modern work is increasingly situated on mobile endpoints and modern security has to reach these devices if organisations want to stay ahead of emerging mobile threats.

Remote work and the mobile endpoint

Zimperium’s 2019 State of Enterprise Mobile Security report showed that 60% of enterprise endpoints are mobile devices. It also revealed that 80% of daily work is performed on a mobile device.

This location-agnostic IT strategy presents a serious challenge to traditional office-bound security controls. These were designed with the assumption that data would stay within the office environment and behind the network perimeter. However, our reliance on mobile endpoints has spread data far outside those bounds. In fact, modern business essentially demands it to stay competitive.

Getting personal

If remote work has deepened organizations’ ability to stay flexible and agile, it has also exacerbated the risks. Zimperium’s 2022 Global Mobile Threat Report (GMTR) revealed that almost 50% of cybersecurity professionals believed that their remote work strategy played a significant role in their cybersecurity incidents.

On top of that, remote work has further disrupted the ability of businesses to actually set corporate security policies. The 2022 GMTR showed that 61% of cybersecurity professionals believe that setting cybersecurity policies in the age of remote work is nearly impossible.

One of the reasons for this is the heterogeneous IT environment of remote work, characterized by our increasing reliance on personal mobile devices. Verizon’s 2022 Mobile Security Index (MSI) surveyed business leaders on this topic. Over half – 53% – of the survey’s respondents agreed that mobile devices are increasingly accessing more sensitive corporate data. In fact, according to the 2022 GMTR, 66% of devices used in the enterprise are personal devices.

As remote workers access corporate networks and data from their own devices, they introduce the sensitivity of that data to the potential insecurity of those endpoints.

Mobile applications

One of the ways in which remote work is executed on personal devices is through enterprise applications on the devices. The 2022 GMTR showed that 73% of technology leaders use at least four enterprise applications on their personal devices.

This can provide a direct line of attack into a corporate network. Microsoft360, for example, allows many to access the entire suite of Microsoft applications from their phone. In fact, one poll shows that 84% of IT professionals have it enabled on their phone. Unfortunately, another report from Kaspersky says that 72% of exploits are targeted directly at this one particular software suite. In comparison, only 13% of exploits are targeted at browsers.

The problem doesn’t stop there. Most of the applications on a personal device will likely be for private use. Unfortunately, malicious apps often appear on legitimate app stores. Many such applications obfuscate themselves as legitimate educational or health applications on trusted app stores such the Apple Store or Google Play. Once downloaded, these malicious apps can act as remote access trojans or spyware – allowing the attacker to hijack or surveil the device to steal crucial credentials or sensitive information contained on the phone.

Outside of mainstream app stores, these malicious apps can also be ‘sideloaded’ onto devices through direct downloads from developer websites or third-party app stores, thus bypassing the security controls of trusted app stores.

Device attacks

The private management of those personal devices can also cause problems. Users are effectively the admins of their own devices, meaning that they’re ultimately responsible for updating, patching and treating their device securely. When users fail to update their device operating systems or even purposely jailbreak their phones, they invite threats which can ultimately harm the organisations for which they’re remotely working.


Phishing has been a reliable tactic for years and continues to be the reason for countless successful cyber-attacks. Phishing messages – pretending to be from a trusted party – will direct victims towards malicious URLs which will then download malware onto the endpoint or fraudulently compel them to carry out certain actions.

While traditional phishing is mostly performed through email, mobile phishing can leverage text message functionality as well as exploit push notifications which have led to attacks on Uber, Cisco and others in recent months.

Network attacks

“Remote” mobile devices are often at the mercy of the networks they’re using and the potential attacks which emanate from them. If a mobile device were to access an insecure Wi-Fi, an attacker could use a man-in-the-middle attack to insert their own device as a router and from there, covertly surveil their activities or fraudulently compel them to download malware.

Attackers could also use a rogue access point (RAP) to deploy targeted exploits against that device and gain persistent access to it long after it has disconnected from that insecure Wi-Fi point.

Catching up with the expanding attack surface

As with so many developments in IT – new technologies get released and security takes a while to catch up. Mobile devices – a cornerstone of remote work – require a parallel move forward. Protecting them requires that security controls extend to where work is actually being done – on the device.

However, many attempts to secure mass remote work don’t quite expand to cover that new surface. VPNs, for example, are an important part of policing the connections between remote endpoints and corporate networks.

Mobile device management (MDM) solutions can also be extremely helpful in remote work settings. Similarly, remote workers are now better educated about the various threats to their devices and often compelled by employers to use security controls like multi-factor authentication on them. These are important steps, but ultimately insufficient to protect against the array of threats that mobile devices face such as phishing, network vulnerabilities or zero-day threats.

Any effective approach to mobile endpoint security in an age of remote work has to secure the mobile device itself. Mobile threat defense (MTD) capabilities can offer continuous always-on protection at the device level, so that those mobile devices stay protected when they’re connected to insecure networks or not even connected to the internet at all. Furthermore, they continuously assess device security posture, detecting threats as they arise and blocking access when they do.

The rise of mobile threats and the increasing centrality of remote work seem inextricably linked. While there might not be a clearly identifiable causation, there is most certainly a correlation – in 2021, zero-day exploits against mobile devices increased by nearly 500% while mobile-specific phishing websites grew by 50%.

Remote work might be a new reality, but mobile breaches don’t have to be. The attack surface has expanded to include the personal devices which make up such a big part of remote work. Security needs to catch up.

Receive the latest breaking news straight to your inbox