Let’s face it: mobile devices at the workplace are risky but necessary part of business operations. In a highly connected world that’s become increasingly reliant on fast transactions and speedy updates, not having a BYOD (bring-your-own-device) policy at your workplace can put you at a competitive disadvantage.
Many entrepreneurs and CEOs allow workers to use mobile devices because it is convenient and costs the company lower capital expenses for the purchase of equipment. Whether they belong to IT services, healthcare, NGOs, or other industries, allowing employees to use their mobile phones or laptops for work means higher flexibility and greater mobility.
But, those savings and extra convenience come at a security cost, especially now that the Internet of Things (IoT) will become the norm rather than the exception business transactions and operations.
7 Threats from Mobile Attacks and Vulnerabilities
1. Clueless or apathetic employees
Even the most well-intentioned employees can be a source of mobile attacks, especially if they ignore company warnings on data security. Awareness training on the dangers of accessing files on an unsecured public Wi-Fi can only do so much if employees don’t take responsibility for their actions.
Put the proper employee education systems in place, and make it a company initiative to conduct mandatory data security on a regular basis. Such policies will help prevent non-malicious insider threats from occurring, an occurrence that experts say has quickly become one of the largest threats to businesses when it comes to device security.
In addition to that, make sure there are robust mobile security policies in place. It should include policies for authentication, rules for credential storage, PII restriction for email, as well as restriction and limitations for passwords and PINS. Make it part of your new employee onboarding process, and conduct regular training and update employees periodically, especially when there are new regulations or threats in place.
2. Credential-stealing or authentication attacks
Mobile devices should be treated as direct channels to the Cloud or to an internal business IT infrastructure. Think of your smartphone as a card key that criminals can use to gain access to all the data and confidential company information stored in the cloud or within an internal IT infrastructure.
Hackers go for unsecured mobile devices not just to crack a phone code or steal information from your laptop, but also to use it as an opening or vector to freely access data from these sources.
3. Operating system variations
The more mobile devices, smartphone, or tablets used by your operating system, the greater your system vulnerabilities. For example, Android sports over 24,000 types of mobile devices, making every one of these tablets or smartphones open as attack vectors or access points.
4. Fake apps
Fake apps have been repackaged to look authentic, but once you download them, it will come with malicious features such as the ability to remotely control your device, turn on the camera, or gain access to your GPS tracking feature.
According to Dave Jevans, CEO of Marble Security, “Enterprise users casually give these riskware apps sweeping permissions, not realizing that their personal and corporate data may be sent to remote servers and advertising networks all over the world, where it can be mined by cybercriminals and hostile governments seeking access to corporate networks.”
5. Man-in-the-middle
Imagine you’re working in a coffee shop. You spot a free or public Wi-Fi hotspot and use it access work-related files. Later in the day, the files are gone, along with other sensitive company data.
In this case, you’re correct to assume that the free Wi-Fi hotspot is to blame. It’s easy to fake these types of access points by spoofing encryption security certificate credentials, and are used to intercept, change, or steal data.
6. Malware and Trojans
If you’ve read your Greek mythology, then you’ve probably heard about the Trojan horse, a hollow wooden statue the Greek army used to conceal themselves and gain entry into Troy.
In cyberspeak, it works the same way in that malicious code is embedded in attachments or applications via mobile devices. You become even more vulnerable without antivirus in place. Attackers and cyber criminals are become more sophisticated, targeting mobile devices more and more.
For example, non-jailbroken iOS devices became the target of attack by what is called the WireLurker in 2014. A comprehensive and updated security solution must be installed to prevent these types of infiltration from taking place.
7. Jailbreaking smartphones
Jailbreaking your smartphone to enjoy more features or apps might sound like a good idea, but it also makes your mobile device more vulnerable to cyber criminals.
When you bypass device limitations, change configurations, or alter settings, it opens your phone to more chances of getting attacked by wily hackers.
8. Security risks on Android OS
The Android operating system typically has numerous variations and many ways for customization, making it more vulnerable to malicious attacks especially when security patches are not prioritized and take a back seat.
Lower your security risks by making sure that a full release is available, which more often than not contain a more stable infrastructure that is less open to attack.
9. Facebook’s new payment platforms
Facebook will use third party sources for security in its new payment platform. However, experts are concerned about the difficulty of using a Trusted Service Management platform that includes agreements with manufacturers of the handset when it comes to managing secure payment options.
Many worry that Facebook might not evolve into a classical payment platform, making it more vulnerable to malware attacks. As such, be wary of mobile payment security sources such as this, and put all security measures in place.
10. The danger of Root kits
Rootkits make it more difficult to trace while giving an attacker total control over your mobile device. Some have used it to harvest personal information of infiltrated devices, making it a cause for concern since the widespread usage and reliance on mobile devices to conduct our personal and daily activities.
Just like any other security threat, make sure that you coordinate with your IT team to install the necessary security measures needed to mitigate any threats. You should also secure the data on your employee’s mobile devices, especially sensitive company information.
11. Privacy Loss, Identity Theft or Spoofing
Just the mere fact that if a mobile device is stolen or lost, all credentials that are available on these devices can be used by a malicious person for spoofing an employee’s identity and can be used to transact with other people using the identity of the owner of the lost mobile device. Not only that, the owner of the lost device can have his or her privacy at risk, considering all information about the owner is now in the hands of a malicious person.
5 Ways to Mitigate Threats from Mobile Devices
1. Implement basic hygiene
Yes, it applies not just for personal cleanliness, but mobile security as well. This includes using passwords, biometric locks, device encryption, updating to the latest OS release, and other basic steps to enhance security.
This can be done by updating and installing anti-virus and anti-malware programs, taking the time to verify sources of downloaded apps or programs online, and creating strong passwords and PINS.
2. Don’t mix work and personal data together
Separate these two areas of your life by creating a secure barrier that lowers the risk of insider threat where cyber criminals can access sensitive work data over unsecured networks. You can better manage work-related data when stored in encrypted and protected containers that delineate work and personal information.
3. Have a mobile device management MDM strategy in place
This is used in the event that the first line of defense you have in terms of security does not work. It’s an important means of ensuring that further damage is mitigated and prevented, where safeguards are in place. It includes network security where policies and security hygiene and training are implemented.
An MDM strategy is a comprehensive preventive policy that uses various tools to make sure that the right security measures are in place to ensure that you have a well-fortified network that is less vulnerable to attack.
4. Have a robust mobile security policy in place
When you customize your business’s mobile policy to suit your operational needs, make sure that the right security policies are in place to avoid any network breaches. Start by having an access management procedure in place that helps authenticate users accurately, and that includes a guideline that employees can refer to when it comes to policies about accessing remote data.
There should also be remote swipe control rules which allow you to wipe out confidential data in the event of stolen or lost mobile devices. This is an effective way to avoid unauthorized access once the device falls into the wrong hands. Also, ensure that an inventory management producer is included, where your IT team can track the network users in real time for monitoring purposes. Of course, the security policy should include immediate reporting mechanisms should devices are lost, stolen or are breached.
5. Streamline security management
Cyber security is complicated enough as it is, so make an effort to simplify how it is managed as best as you can. For example, avoid the need to switch among consoles for each network segment. This not only makes it simpler and easier to manage but also lowers the chance for errors as well. Unify controls among various segments.
6. Do an audit of mobile operating systems used by your employees
This should extend across all systems, endpoints, networks, and environments where mobile OS must be audited. Android is the most vulnerable OS, with up to 71% of devices on this platform having been victims of an attack, most commonly the Trojan virus where passwords and other data can be stolen or back doors could be secretly installed for criminals to access your network.
iPhones or those on iOS devices might be less vulnerable but are not guaranteed from attack. Whatever platform your enterprise is using, be aware that not all are totally secure, so you need to install a solid security policy and robust measures in place.
7. If possible, use an encryption mechanism or a two-factor authentication system for mobile devices that are connecting to an enterprise systems.
This will ensure that an additional authentication layer is available when accessing enterprise applications. However, the token used for the second layer authentication should not be the same device as the mobile phone otherwise, the authentication will also be sent to the lost or stolen device.
Personal smartphones and other mobile devices are no longer a distraction from work. These gadgets are now considered to be an integral part of business, especially with the advent of the IoT.
It’s unrealistic to ban them from work altogether because productivity and employee morale, productivity and efficiency will likely suffer. What you can do is to assume that the possibility of a cyber attack is no longer a question of “what if?” but more of a question of “when?” This way, you become pro-active in mitigating risks by having the right disaster recovery plan in place.
It’s your best bet to help prevent the spread of any security threats that result from workers connecting their devices in an uncontrolled area.