Mobile devices today are ubiquitous. In short order, they have become a reliable go-to for everything from storing contacts, to working on-the-go, to paying for groceries. They absolutely have a place in business too, as according to a 2016 report by the Information Security Media Group, 99% of employees use personal smartphones to do their jobs. There’s no question that the device in everyone’s pocket or purse is both convenient and a great way to stay connected and productive…but what are the business risks?
A big challenge when it comes to protecting smartphones and tablets is that mobile device security has not necessarily kept pace with traditional computer and network security.
But equally challenging is the behavior of smartphone owners, as there is a perception that cybersecurity threats and concerns don’t apply to mobile devices. People – even those who abide by all network security best practices on desktop - generally seem to feel that their mobile device is exempt from those same cyber threats.
Unfortunately, that is not the case.
This combination of popularity, relaxed attitudes about protecting mobile devices, and less-than-stellar security has in fact made mobile devices an enticing target for cybercriminals, and somewhat of a headache for businesses.
These threats come in the form of mobile malware, authentication attacks, man-in-the-middle (MiTM) attacks or simply by exploiting known vulnerabilities. Mobile malware has a variety of forms, including phishing/spear phishing, trojans, keyloggers, bank trojans, ransomware and adware or spyware.
The volume of mobile malware is still a fraction of what it is for desktops, but it is most certainly on the rise. According to the Intel Security/McAfee April 2017 trends report, approximately 15 million different mobile malware variants had been detected at the end of 2016, up from just under 8 million the previous year.
First Step: Education
While there are numerous workplace solutions for this – including Mobile Device Management, or implementing a BYOD (bring your own device) policy – education is a critical piece of the mobile device security puzzle.
It’s essential that every employee understands the need to protect the company data accessible through his or her personal device, as well as their own personal information.
As a business leader, we recommend that you teach employees about device security as a means of reducing the company’s cyber risks. This can take the form of an official BOYD policy or become part of a general culture of cyber awareness and your ongoing cybersecurity education and training strategy.
Either way, start with coming to the understanding that smartphones and other connected devices like smart watches aren’t automatically protected in the way that standard network equipment is, and that more proactive measures are required.
For example, many smartphone users aren’t aware of the timeline for “end of life” support for their device. And the lifecycle for support for a smartphone tends to be shorter and less publicized than that of a standard operating system like Microsoft Windows, which means that a phone can reach end of support in just 2-3 years, and the owner might not have any idea.
For example, with the release of iOS 11, Apple ended support for iPhone 5 and 5C, as well as iPad 4 (and older devices).
Additionally, mobile devices generally are not encrypted, which means if you’re using public Wi-Fi, any data on that phone is going to be pretty easily accessible to a hacker. There are encrypted mobile communications solutions on the market, but they aren’t the default – they must be installed and enabled separately.
It’s also important for every smartphone user to recognize that the default – and recommended – method of acquiring any mobile applications or software is via the authorized app store.
Both Apple and Google scan all applications in their respective app stores in an effort to detect any potentially malicious apps. While it’s certainly possible to get mobile malware from an app in the authorized store, the risks are significantly less than if you download software from an unknown third-party source.
Finally, whether you enable a tech-based Mobile Device Management solution to implement this practice, or you rely on smartphone owners to enable the capability, make sure that any device that has access to company data can be remotely wiped in the event that it is lost or stolen. Below are links to more information on how to enable that feature:
- To erase an Apple device (this includes iPhones, iPads, Apple Watch or Mac), follow these steps.
- To find, lock or erase an Android device, follow these steps.
- To remotely wipe a Blackberry, follow these steps.
Ways to Protect Your Mobile Device Against Security Threats
There are many things that owners can do to increase mobile device security and better defend against modern-day threats. These include:
- Enable the strongest security features possible – enable the pin-code and set your screen auto-lock to the shortest amount of time possible
- Always keep your device’s operating system up-to-date – don’t ignore that message asking if you’d like to push the latest version!
- Don’t click on unknown links in emails or text messages – these types of phishing attacks can be more difficult to spot when viewed on a mobile device, so extra caution is required
- Limit publication of your mobile phone number
- Think carefully about what information you want stored on your device; always make a point to review it before traveling, as the chances of a lost or stolen device increase
- Be choosy when installing apps – avoid downloading apps from unknown third party sources, as these could be mobile malware in disguise
- Remove apps that you no longer use – apps that you aren’t using become apps you aren’t updating so it’s best to remove them
- Always maintain physical control of your device
- Disable connected features like Wi-Fi and Bluetooth when you are not using them
- Avoid joining unknown Wi-Fi networks or public Wi-Fi that isn’t password-protected
- If using public Wi-Fi is unavoidable, never log into sensitive accounts or make credit card payments over public Wi-Fi
- If you have to create any type of account to use public Wi-Fi, create a login that is unique to only that account
- Be sure to securely wipe your device before you sell, trade, donate or recycle it (Refer to this past article for more info...How to Prepare Your Old Phone for Sale)
- Never “root” or “jailbreak” your device as this can prevent it from receiving future operating system updates that patch security vulnerabilities
- Pay attention to what apps you are giving permissions to; don’t just do a blanket “yes” as many times apps will request permission to access areas of your device that aren’t necessary
- Be aware of the support lifecycle on your device – if you have reached “end of life”, it’s time to upgrade
While your mobile security landscape will entirely depend on your workplace environment, your BYOD policy, your MDM policy, and your existing security protocols, it is crucial that you understand your current risks so that you can take the steps to correct them.
This may include working with your IT provider to implement an MDM solution, if necessary.
It should certainly include at least a conversation (or more formal consultation) with your IT provider to ensure that your overall network security accounts for the use of mobile devices.
The biggest lesson though is that when it comes to protecting a mobile device, an increased awareness of the risks and a common sense approach to defending against them really will go a long way.