Safety Detective’s Aviva Zacks had the opportunity to interview Aaron Cockerill, Chief Strategy Officer of Lookout, and jumped at the chance. She asked him how his company is helping people protect their mobile phones.
Safety Detective: How did you get into cybersecurity and what do you love about it?
Aaron Cockerill: I wouldn’t say that I actually targeted a career in cybersecurity. We just sort of found each other.
Most of my career has been in engineering and product management of robotics systems, IT tools, and most recently mobile technologies. I think the reason I ended up in cybersecurity, and more specifically mobile/modern device cybersecurity is that as a product manager, I’m always trying to solve the biggest problem that I see for the customer. I like helping people and solving big and meaningful problems with technology, so cybersecurity seemed like a logical choice.
SD: What are some industries that use Lookout’s technology and why?
AC: I’d start by saying that our customers span a wide range of industries where employees use smartphones to access business-critical or business-sensitive information, which in this day and age is almost every industry.
Initially, highly regulated industries such as government, financial services, and healthcare were the primary customers for Lookout enterprise security solutions. But we quickly learned that demand for mobile security exists across the entire gamut of industries.
We’ve found the primary driver for deploying mobile security has been external third-party security audits identifying mobile as an unprotected threat vector, compliance to broad-spectrum regulations like GDPR and PCI-DSS, and boards of directors asking CEOs tough questions after a breach.
The result is that mobile security is no more industry/vertical specific than, say, desktop virus protection.
SD: How can Lookout protect consumers from threats to their mobile phones?
AC: Lookout offers both a consumer and an enterprise solution for mobile security and both cover any device mobile running iOS, iPad OS, or Android. This means we can secure tablets and Chromebooks in addition to smartphones.
Our consumer and enterprise solutions use the same underlying technology, so consumers benefit from the development requirements defined by some of the largest enterprise and government IT organizations.
Consumers can download our solutions from the iOS and Google Play app stores and select the level of protection they want from within the app. The basic level of protection—provided for free—defends against malicious attacks to the phone by way of malicious apps or malicious OS modifications such as jailbreak/root. Consumers can purchase higher levels of protection:
- to protect them against phishing attacks and malicious links regardless of how the link is sent (e.g., email, SMS, Facebook messenger) and regardless of how the device is connected (e.g., cellular, Wi-Fi, or Bluetooth);
- to notify them if a service they use has been breached and what to do about it; and
- to digitally identity protect where we monitor the users’ personal information being exposed/traded on the dark web, explain what to do if their identity has been exposed/stolen, and which includes insurance against identity theft.
SD: What is the number one threat in cybersecurity today?
AC: Based on analysis of our data as well as discussions with enterprise CISOs and CIOs and individuals, phishing (social engineering) is the single largest cybersecurity threat today. Phishing, or social engineering, is the first step in more than 80% of cyberattacks.
The reason is obvious if you think about it. Phishing provides a higher ROI for the bad actor than, say, hacking an advanced IT system. And bad actors are increasingly targeting phishing attacks at mobile devices, typically sending them messages that trick them into clicking on links that steal their personal information (e.g., passwords or bank account details), or have them install malicious software such as surveillance-ware or spyware.
Let me explain further: First, mobile devices have a plethora of messaging options that are not available on, say, a work PC, which is limited to enterprise email and possibly chat that is typically well-protected. On most mobile devices, users message over social networking, personal email, SMS/MMS, and dedicated messaging systems like WhatsApp, Signal, Telegraph, and the like. And these messaging platforms are for the most part unprotected from social engineering. In fact, many of them actively block third party inspection by encrypting the traffic end-to-end. This makes it very difficult to monitor or protect them, especially given that often these communication apps are also personal and inspection would be an invasion of privacy.
Next, most mobile platforms make detecting social engineering difficult for even savvy mobile users to detect. For example, on a desktop, users will “hover” the mouse over a link to see the real URL before clicking on it to identify a phishing attack. That’s not possible on a mobile device.
Similarly, mobile device browsers have limited space to display the address bar, truncating the URL, which makes it easy for phishing URLs to look safe.
On top of this, unlike a PC where almost all interaction with SaaS systems is with a browser that has had security built in for over 20 years, most SaaS interaction on a mobile device is through a dedicated app that may or may not incorporate browser-like protections.
Finally, mobile devices are more personal. Even if the device is company owned, an employee will send SMS messages to their spouse, relatives, and friends, take personal photos, etc.
When you take into account that these days we publish our entire lives on the internet for all to see, it becomes very easy for bad actors to exploit that information for phishing and social engineering attacks. Increasingly, we see bad actors sending very personalized messages over unprotected messaging systems, using social networking information to trick people into clicking on links and giving away personal details or installing malware.
It’s a massive problem on a small screen.
SD: How will the cyber threat landscape change in the next 5 years?
AC: Five years is a long way to predict the future in our industry, but I think we can safely predict a few things that will provide some good indicators of where things are headed.
- The distinction between desktop PCs and mobile devices will blur to become meaningless. This is important because in that transition the successful devices will use a modern operating system like iOS, iPad OS, and Android that only runs signed code that is protected from modification/tampering and where apps run in isolation.
- Devices will become more personal and bringing your own device BYOD to work will increase. This is because increasingly it will become necessary to have a capable mobile device with you at all times. It will be your identification (e.g., license, passport, signature, biometrics). It will be your car, house, and office keys, your payment method, and more. People will be reluctant to carry or use two different devices—one for work and a different one for their personal life.
- BYO-network will also become a thing. 5G will have a profound impact on us from a technological perspective, enabling things like self-driving cars, but that will be preceded by a more fundamental shift. If my phone has a faster and less restrictive connection to the internet than my company’s Wi-Fi, I will use that to connect. Most of my work tools are SaaS anyway and accessible on any network, so why use corporate Wi-Fi when I already pay for unlimited, unrestricted 5G that’s faster and available everywhere? This completely removes any notion of a corporate security perimeter.
- Privacy will be a driving force making a fundamental change in the way security tools must function. We should expect that all devices are personal, all communications are encrypted end-to-end, only signed (authorized) apps can be installed and executed, and all operating systems prevent tampering and block the level of inspection provided today through things like kernel extensions.
- Almost everything electronic will be connected (IoT), and many of these devices, once set-up, will operate almost exclusively without a human user.
- Vulnerabilities will not go away. Developers will still make mistakes and the rapid pace with which things change will only increase, making these vulnerabilities more of a problem since the numbers of systems that can be easily exploited through software will have increased.
- Machine learning and artificial intelligence will be commoditized and widely adopted by bad actors seeking to identify vulnerabilities, as well as to generate personally targeting social engineering attacks and attacks on IoT devices.
- Cyberattacks will broaden from targeting systems for information, financial gain (e.g., ransomware), and IP theft to become a method of attack in the physical world. Stuxnet was widely publicized as one of the first instances of this type of attack. Five years from now, almost every home, building, car, device, and increasingly many individuals will be “connected” and thereby open to attack.
Borrowing from Frank Abagnale, to print fake checks in the 1970s was far more difficult then than it is today. So my prediction is that cyberattacks will move from the realm of specialized cyberattackers and nation-states to a weapon widely available for purchase by individuals. And cybersecurity will move from something we purchase for specific systems to something we use to protect everything in our life.