Thanks to today’s impressively powerful processing, mobile phones are being used in business more than ever before.
Whether employees are working from company-issued phones or have been granted high-level access from personal devices, smartphones are now starting to take the place of desktops. However, they don’t offer nearly the same level of control or inbuilt security.
Mobile device security threats are on the rise and evolving in scope. To protect both devices and data, everyone in an organisation must understand the associated risks.
We take a look at six of the most common threats.
Lost or stolen devices
An unattended device can be a major security risk — especially if it doesn’t have full data encryption and a strong password or biometric security to guard it.
If the device isn’t properly protected and gets into the wrong hands, it’s easy for criminals to gain access to a whole load of data. However, hackers don’t need to physically have the phone in their hand to be able to exploit it…
Poor password hygiene
It doesn’t matter how many times we say it; we still frequently see poor password practices across companies of all sizes. This becomes especially problematic when staff are carrying around mobile phones that contain both company accounts and personal sign-ins.
When people want to sign in quickly to various apps, sites and services, they’ll often use the same password across everything. Even if just one employee types a company account password into a prompt on a random site, this could pose a considerable risk to the organisation. What’s more, studies have shown employees frequently share their passwords with co-workers across personal and work accounts accessed via their mobile devices.
Unlike desktops, smartphones and other smaller connected devices generally don’t come with the same guarantees of timely and ongoing software updates, posing a real risk to enterprise security. Android manufacturers, in particular, have been famously ineffective at keeping products up to date — both with operating system (OS) updates and the monthly security patches between them.
Plus, even if frequent updates are available on your employees’ devices, there’s no guarantee they’ll carry them out. Many people will continuously hit “remind me later”, but they must update their devices regularly to benefit from the latest security features.
Unless employees have a substantial data allowance, chances are they’ll be seeking out public Wi-Fi whenever they’re away from home or the office. However, one of the sneakiest ways hackers take advantage of the vulnerabilities of mobile devices is through unsecured wireless networks.
Although free public Wi-Fi in places like coffee shops and airports might seem reputable, they could be traps set up to lure users into the network. In some cases, users will need to create an “account”, complete with a password, to access the network. As we’ve already mentioned, many users will employ the same email and password combination for multiple services — which, in this case, could allow hackers to compromise their email account, as well as any personal information or secure corporate data stored on the device.
As such, robust mobile policies which restrict employees from accessing enterprise data through public Wi-Fi are vital.
By now, most people are familiar with the term ‘phishing’ — a way for hackers to extract sensitive personal and corporate data through seemingly legitimate emails. On mobile devices, users might also receive a text message from a sender pretending to be someone they know.
The sender will exchange texts with the recipient and then ask them to send personal information such as passwords or bank details. Alternatively, they might ask the user to call a number; when the user calls, data is then easily extracted from the phone.
SMS fraud can also take many other forms. Spam messages might direct a recipient to a web link asking them to enter their details. Grey routes and SIM farms allow businesses to send bulk messages to customers through unsecured delivery methods that could expose sensitive information to cyber criminals. Fraudsters can also infiltrate someone’s text messages and steal their data if they connect to a network in a foreign country — known as “roaming”.
SIM swap fraud is similar to but more complicated than phishing, as it exploits two-factor authentication. Hackers will “port” the user’s phone number to another SIM and intercept any passwords and personal information sent via SMS. One Watchdog viewer found this out the hard way when hackers stole more than £5,000 from his bank account by hijacking his mobile phone account through an SMS message and using it to authenticate transactions.
If there is no security software in use on the mobile device, neither the employee nor the company may even be aware of the breach. Therefore, it is crucial to educate employees on the importance of not taking calls from or replying to messages from unknown numbers.
Perhaps one of the most significant risks associated with the use of phones is mobile applications. Often, employees will download apps they believe to be from legitimate companies — but in reality, they will be fake applications containing malware.
Mobile apps regularly cause unintentional data leakage, too, when employees give them sweeping permissions without checking security. Free applications found in official app stores will typically perform as advertised but also send personal (and even corporate) data to a remote server — where it is then mined by advertisers or, potentially, cyber criminals.
To limit the risks associated with fake mobile applications, organisations should prevent employees from downloading apps from unreliable sources and only give apps permissions they insist on.
Appropriate policies and advanced technologies
The message is simple: leaving security in the hands of device users isn’t enough. To ensure both mobile devices and company data remain protected, organisations need to implement the appropriate policies and advanced technology. These technologies might include VPNs, password managers, multifactor authentication (MFA) and cloud access security brokers (CASB), as well as mobile device management, encryption and antivirus software.
Software developers One Identity and Entrust Datacard both supply MFA software, which strengthens the authentication of the user in business applications. Entrust Datacard’s CensorNet platform also includes a CASB, which manages the use of mobile apps that are secure or not secure for use with business content.