Do you remember the days when the biggest threats to security only existed on your computer? Spyware ran silently in the background monitoring your actions, phishing stole private data and of course who can forget viruses. You might even have a memory of a time when a virus wreaked havoc on your computer systems.
These types of attacks haven't changed, but with cell phone and tablets used more today than ever before, cybercriminals are targeting mobile devices more often.
But there's a difference. Securing mobile devices goes beyond simple virus protection software. It has more to do with you improving your mobile security practices. As a business, the last thing you want is an embarrassing breach that ends with your internal data published for the world to see.
To get you thinking about how to secure your data, here are 10 threats affecting mobile security and what you, as an enterprise, can do to fight back and protect your networks, internal data and employees.
Mobile security threats explained
People tend to look at mobile security threats as an all encompassing threat. But the truth is, there are different types of mobile security threats to be aware of. They include application-based, web-based, network-based and physical threats.
Here's how they work:
- Application-based threats happen when people download apps that look legit but actually skim data from their device. Examples are spyware and malware that steal personal and business information without people realizing what's going on.
- Web-based threats are subtle and tend to go unnoticed. They happen when people visit affected sites that seem fine on the front-end but in reality, automatically download malicious content onto devices.
- Network-based threats are especially bad because cybercriminals can steal unencrypted data while people use public WiFi networks.
- Physical threats happen when someone loses their mobile device or has it stolen. Because hackers have direct access to the hardware where private data is stored or where they have access to data, this threat is especially dangerous to enterprises.
The following are a combination of these types of threats.
1. Malicious apps
When your employees visit Google Play or the App Store to download apps that look innocent enough, the apps ask for a list of permissions before people are allowed to download them. These permissions generally require some kind of access to files or folders on the mobile device.
Most people just glance the list of permissions and agree without reviewing them in great detail. This lack of scrutiny leaves devices and enterprises vulnerable to mobile threats.
Dave Jevans, CEO and CTO of Marble Security explains, “enterprises face a far greater threat from the millions of generally available apps on their employees' devices than from mobile malware.”
Even if the app works the way it's supposed to, it still has the potential to mine corporate data and send it to a third party, like a competitor, and expose sensitive product or business information.
One thing you can do:Ask employees to check the permissions apps request before they approve the download. If the list of permissions seems too invasive, employees should skip the download.
Whether your employees have an iOS or Android device, their devices are targets for threats focused on mining user data and your private corporate data.
For example, Apple realized it had three zero-day vulnerabilities that left its devices open for spyware attacks. Pegasus spyware was discovered back in August 2016 and was used to hack into Apple devices and surveil users. Apple had to release a patch with updates that would protect users against the Trident iOS vulnerabilities.
Android devices were targeted with fake app downloads that mined user data and tracked users over time. To fight back, Google now offers Play Protect security in the Play Store.
One thing you can do:Choose a mobile security app and ask all of your employees to download it onto their devices. Next make it a requirement for employees to update their device software regularly. Regular updates ensure that their devices are protected against the latest spyware threats.
3. Public WiFi
As more companies offer remote work options, access to unsecured WiFi is becoming more widely available in public places. Be it coffee shops, co-working spaces or the library, public WiFi is convenient, but the downside is that the devices your employees use are vulnerable to attacks sent through these networks.
Instead of connecting directly to a network, people are tricked into accessing a network that looks authentic but is actually controlled by a hacker. Here's what that looks like:
It isn't hard to create fake WiFi hotspots in public spaces — with network names that look completely legit — to access mobile devices. And people are only too willing to connect. An experiment run at both the Democratic and Republican 2016 conventions found that 70% of people connected to unsecured, public networks.
If these networks had been created for criminal activities, people would have unwittingly handed over access to not only their personal data but your corporate data as well.
One giveaway a network might be fake: sometimes they ask users to create an account with a username and password to access the network.
One thing you can do: Ask employees to create unique passwords for every new account they create when they use their mobile devices. Because hackers assume people use the same password for everything, employees should never default to standard logins used for their personal accounts. Even if their phone is hacked, private, password protecting data can't be.
4. Lack of end-to-end encryption
A recent study found that only 5.5% of mobile app development budgets go towards security. This is shocking considering the amount of information uploaded to apps. Depending on the platforms employees use to access corporate data on their phones, a lack of mobile app security doesn't bode well for you.
For example, a lot of communication happens electronically. You send, share and receive countless amounts of data every day, so leaving that unencrypted leaves the door open for anyone to look at what's being said or done in your company.
And it's not just hackers who'll have access. As the above image shows, your service provider and any online applications that host your conversations with employees will have access to view and collect private data.
One thing you can do: Use communication apps that encrypt data transfers to make sure that communication between you and your employees can't be accessed by anyone outside of the business. Use an encryption-based application to help manage communication.
5. Inactive apps
Google and Apple remove apps from their stores on a regular basis, but the thing is, they don't offer much explanation about why. We can assume, though, that these occasional purges have something to do with security threats and privacy breaches.
In Google's case, they found apps that forced users to click on ads by making it hard to use the app otherwise. When a user clicks on the ad, it runs in the background without the user knowing while the ad accumulates automated clicks to generate income for the app developer.
One thing you can do:While there should be more transparency for users and enterprises so they know what apps could threaten their devices, you and your employees should be proactive and regularly check the apps on devices to see if they're still active. If apps aren't active, users should delete them to limit the threat to data access and privacy.
6. IoT mobile security threats
Mobile devices are branching out from cell phones and tablets to include wearable tech, like smart watches or devices in the office, like video conferencing tools. Basically, anything that's used to improve workplace efficiency, productivity and service quality has a product for that purpose.
Cybercriminals are aware of this expansion, after all, Gartner predicts the number of connected devices will reach 20.8 billion by 2020.
A big part of what makes the growth of IoT pose a threat is the proliferation of ransomware. A lot of the latest mobile devices have IP addresses, which means that they can be hacked through the internet. Anyone looking to gain access to your corporate data can find and use mobile devices to access corporate networks and the information within them.
That's why mobile security shouldn't just be about the network and the data, it should extend to include securing the devices.
One thing you can do:Educate employees on where threats can come from and how to use their devices safely. Get them to read blog posts, send them email newsletters and news updates or start a video series. The point is to get across the fact that you expect employees to take mobile security seriously and that threats can come from almost anywhere.
Depending on the sites employees visit on their mobile devices, malware can be downloaded onto mobile devices that aren't protected by antivirus software or a mobile security app. This gives hackers full access to the device so that they can control affected devices remotely.
All devices with the malware on them are added to a network of other affected devices — called a botnet — that allow hackers to send spammy emails and other click fraud campaigns that spread the malware to even more devices.
As an enterprise it's harmful to you that malware can disrupt networks or steal confidential customer information.
One thing you can do: Put in place BYOD policies to protect your enterprise network. For example, give employees options on which mobile security apps to download to make sure that botnets don't have a chance to spread.
Educate employees on the policies and what's expected of them to ensure that internal data is kept safe.
8. No password protection
With all of the ways to secure mobile devices, it might be shocking to know that 34% of people don't use a password to lock their phone. If these devices are lost or stolen, it gives thieves easy access to all the information stored in the phone.
For people who do go through the effort of creating a password or PIN, they typically default to codes that are easy to crack. Like 0000, 1234 or birthday month and day.
Unlike secure sites, mobile devices don't force users to create a password or PIN. And even when users do create them, devices don't confirm the strength of the password or PIN.
One thing you can do:If employees are going to use their own devices to access your data, make your identity access management requirements clear to them. For example, lay out what your password standards are. Take it one step further and require 2-factor authentication to access internal tools.
9. Phishing attacks
This happens all too often in enterprises where hackers send what look like legit emails or SMS to get employees to hand over private information.
For example, let's say the finance department in an insurance company gets an email from what looks to be a genuine B2B customer email account. The email might inform finance about a change to the “customer's” banking information and ask that all payments to be re-routed to the new account. It all looks and sounds above board until the actual customer confirms that they haven't been receiving payments.
One thing you can do:To fight against this, enterprises need strict processes for employees to follow when customers request changes and processes to alert the right people when red flags are spotted.
10. Lost or stolen device
Not all attacks happen in the digital world. Losing a phone or tablet is probably one of the hardest threats to fight against since it gives hackers direct access to the data they're after.
Hackers can see what sites your employees visit on their devices and which apps are linked to your corporate data and private communication. Most times users are logged onto the apps on their devices so hackers won't have to figure out passwords to unlock the data.
Fortunately, most Android and Apple devices let users delete information remotely to avoid illegal access. Like the example above, employees can log into their Apple account and turn on lost mode. They can enter a custom message that will appear on the lock screen of the lost phone and turn off access to all accounts, making the phone useless to hackers.
One thing you can do:Use your BYOD policies to make sure employees know what steps to take if they lose their device. Because most devices come with remote access to delete or transfer information, ask employees to make sure they know how to activate it.
What you can do for your mobile security
Mobile devices face a lot of threats but there's a lot you can do to protect yourself, your data and your employees. Follow these guidelines and you'll be well on your way to protecting yourself through your mobile security journey.
The key is to educate employees and give them the tools and information they need to make the right choices. The more they understand what's at risk, the safer yours and their data will be.
Talk about mobile security regularly so that it becomes standard practice and so that you can feel confident that your corporate data is safe and secure.
As we move further into the digital age, it's important that we do as much as possible to protect devices and the information they give us access to.