As the cybersecurity threat landscape continues to grow, most businesses have been working to improve their security posture in order to decrease the chance of falling victim to an attack. Typically, businesses will focus on securing their network, IT systems and individual PCs, as these are the most obvious targets for a cybercriminal. However, the rise of remote and hybrid working has made mobile devices a fundamental business tool for most employees, and this has made them a target for hackers attempting to launch a cyberattack on a business. As employees become more reliant on mobile devices to stay connected, businesses must ensure they consider the security risks associated with mobile devices and take steps to mitigate these risks. In this article we will discuss five common mobile device security risks, what businesses can do to improve their mobile device security.
Unsecured Public Wi-Fi
Connecting to public Wi-Fi poses a potential security risk, as there is no way to know if it has been set up correctly, if it has secure encryption or if it is being monitored by a malicious individual. As employees are likely to check their emails or use other business applications whilst on the go, it can be tempting to save mobile data by connecting to free Wi-Fi offered at retail shops or cafes and restaurants. However, cybercriminals are able to set up Wi-Fi networks that look authentic but are a front to capture data transmitted through the network. This is known as a man-in-the-middle attack.
One way to mitigate this risk is to create a policy stating that employees should not connect to public Wi-Fi. However, there is still a chance that an employee has an unsecured Wi-Fi network saved their device and will automatically connect when nearby. To safeguard against this, businesses can require employees to use a VPN when accessing company data, systems, or whilst using business applications. This will ensure they stay secure, regardless of what network they are connected to.
Data Leakage via Malicious Apps
There are millions of mobile applications available on the Google Play Store and Apple App Store that can be downloaded within a matter of seconds. With this proliferation of mobile apps, it is not uncommon for unsecured apps to make their way onto app stores. When these are downloaded they will ask for permissions, such as access to files, location services or use of the camera. If an employee allows the app to access this information, especially access to files, if the app is malicious it has the potential to mine company data from the mobile device.
This risk can be mitigated through the use of mobile application management (MAM) tools. This gives IT teams the power to control how much access each application has, without altering the employees’ personal applications or data.
Lost or Stolen Devices
Losing a mobile device, or having it stolen, can be a frustrating experience for individuals as they will need to purchase a new device and may lose all their photos and data stored on the device. For a business, having an employee’s mobile device lost or stolen is a security risk as the lost data may be company data and it could result in a cyberattack or data breach.
If an employee’s device is lost or stolen, they should use the in-built tools to either lock or remotely wipe the device of all data. Businesses can also install mobile device management (MDM) tools to allow IT teams to remotely secure, encrypt or wipe company data to prevent a potential data breach.
Most businesses are aware of the risks of having an unpatched operating system or software, as this can leave them vulnerable to a known exploit. The same is true for mobile devices. However, unlike work PCs, many businesses leave mobile device patch management as the employee’s responsibility, and employees may have older devices that no longer receive necessary security patches.
Google and Apple both allow businesses to force updates to managed devices to ensure they are always up to date with security patches. Similarly, other third-party MDM tools can provide this functionality too. In a business’s mobile device policy, it should ensure that employees cannot use a device that does not receive security patches to access company information as it puts them at risk of a cyberattack.
Mobile Ransomware Attacks
Over the past 5 years there have been countless high-profile ransomware attacks that have temporarily shut down large companies, public infrastructure and many smaller businesses. Whilst most of these attacks have been on employees’ PCs, recently there has been an emerging threat of ransomware on mobile devices. There have even been cases of ransomware being transferred from a mobile device to networked system via corporate Wi-Fi.
To mitigate this risk, the same precautions that business take for their PCs should be applied to mobile devices. This includes the use of email security, such as Mimecast to stop malicious emails before they land in an inbox. Similarly, businesses should have security awareness training that includes mobile device security to ensure that employees have the same security mindset when using mobile devices as work-issued PCs.
As businesses look to improve their security posture, it is important to take a holistic approach and ensure that all networks, systems and endpoints, including mobile devices are considered. It is likely that as hybrid work becomes increasingly common, cybercriminals will continue to target mobile devices as they are typically less secure than work-issued devices. If you want to find out more about how to keep your business safe from a cyberattack, get in contact with us today.