Yesterday in San Francisco, Apple launched the iPhone 6S and iPhone 6S Plus alongside iOS 9. While tweens may be thrilled with the new rose gold color option, as a passionate security advocate, I’m much more excited about the positive mobile security changes iOS 9 will likely bring about.

Apple will now default its devices to six-digit passcodes instead of four — a move that’s two small steps for users but one giant leap forward for mobile security as a whole. With the addition of two digits, iDevices will instantly become tougher for cybercriminals to crack, now thwarting them with 1 million possible combinations versus the previous 10,000.

What Do Passcodes Mean for Businesses?

This bold move by Apple serves as an opportunity — and a wakeup call — for companies to refresh and strengthen their own current bring-your-own-device (BYOD) policies. In fact, new IBM research into 1 million BYOD and corporate-issued devices revealed that today:

  • Nearly 90 percent of companies only require simple, numeric pins;
  • Almost 80 percent of those companies enforce the most basic option to protect the data on these phones: a four- to five-digit PIN, which can be cracked in as little as 18 minutes, according to the iOS Hacker’s Handbook.

What we’re running on our phones only compounds this increasingly complex problem. Another IBM study found that nearly 40 percent of companies, including many in the Fortune 500, aren’t properly securing the mobile apps they build for customers. Moreover, 67 percent of companies allow employees to download unvetted apps to their work devices.

This opens enormous windows of opportunity for attackers, and they are increasingly capitalizing on these vulnerabilities.

While Apple’s latest security update is a well-timed win in the fight against increasingly organized and resourceful cybercriminals, in order for mobile security improvements to be accomplished at an industry level, companies must also continue to be mindful of the very reason BYOD has become a global phenomenon: user convenience.



Balancing Convenience With Security Protection

Apple’s new six-digit default is a perfect example of how to help users better protect personal and corporate data while still maintaining the ease of use they crave through touch authentication.

IBM partners with our clients in order to help them better calibrate the convenience and security equation. To get started, here are several best practices to consider:

  1. Communication is critical. Many employees don’t understand the risks of using unsecured mobile devices and apps, nor are they trained on the security of mobile content access and management in the workplace.
  2. Companies that seek to implement strong mobile device security would also do well to allow employees to use biometric authentication to ensure mobile devices remain convenient and secure.
  3. Investigate ways to strengthen the security of corporate data living on mobile devices even further, such as linking to an overall corporate identity management system or considering two-factor authentication.

Overall, flexibility is key to accomplishing mobile security goals. As mobile technology continues to evolve and expand, it’s also encouraging to see the industry continue to make it easier for users to protect themselves.

Yesterday’s news is a strong step in the right direction, but there’s much more to be done. Passcodes are simply the user’s first line of defense and remain only one piece of the puzzle. Security teams should use this moment to further rally around mobile security initiatives, such as stronger authentication of the data and apps that reside on the device, which will help us protect ourselves against rising threats in simple yet effective ways.

Download the white paper ‘The New Hackers’ Playground’ to learn more about mobile security

More from Endpoint

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

3 Reasons to Make EDR Part of Your Incident Response Plan

As threat actors grow in number, the frequency of attacks witnessed globally will continue to rise exponentially. The numerous cases headlining the news today demonstrate that no organization is immune from the risks of a breach. What is an Incident Response Plan? Incident response (IR) refers to an organization’s approach, processes and technologies to detect and respond to cyber breaches. An IR plan specifies how cyberattacks should be identified, contained and remediated. It enables organizations to act quickly and effectively…

Deploying Security Automation to Your Endpoints

Globally, data is growing at an exponential rate. Due to factors like information explosion and the rising interconnectivity of endpoints, data growth will only become a more pressing issue. This enormous influx of data will invariably affect security teams. Faced with an enormous amount of data to sift through, analysts are feeling the crunch. Subsequently, alert fatigue is already a problem for analysts overwhelmed with security tasks. With the continued shortage of qualified staff, organizations are looking for automation to…

Threat Management and Unified Endpoint Management

The worst of the pandemic may be behind us, but we continue to be impacted by it. School-aged kids are trying to catch up academically and socially after two years of disruption. Air travel is a mess. And all businesses have seen a spike in cyberattacks. Cyber threats increased by 81% while COVID-19 was at its peak, with 79% of all organizations experiencing a loss of business operations during that time. The risk of cyberattacks increased so much that the…