Cybercrime is on the rise, and with the increasing mobility of today’s workforce, it is not just PCs that need to be protected but a whole range of mobile devices.
Whether owned and managed by the company itself or brought in by employees, all mobile devices now need to be considered in businesses’ security plans.
This is especially true when implementing bring your own device (BYOD) policies, where companies can have less control over their employees’ phones.
With 72% of organisations across the financial services, technology, healthcare, government and education sectors now supporting BYOD for all or some employees, it has never been more crucial to ensure company data can remain secure while allowing easy access for employees.
So what are the threats to mobile devices that businesses face and how can they mitigate them?
One of the biggest threats facing businesses – especially those with employees travelling abroad – is the use of free Wi-Fi networks to avoid having to use up mobile data allowances or pay costly roaming charges.
Public, password-free Wi-Fi lacks sufficient encryption, which provides hackers with an opportunity to access and steal almost all information on a user’s device.
The Wi-Fi Pineapple, for example, makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi it is connected to in order to extract information from the device while the user remains unaware.
By educating employees of the dangers posed by using unsecured Wi-Fi, organisations can help to mitigate at least some of this threat.
Also, teaching employees to check if the website uses a HTTPS protocol, and ensuring that they have access to encrypted data storage are two more methods that help in keeping valuable corporate information safe from unsecured Wi-Fi.
Apps and channels
It is important to consider where employees are storing data, and what apps they are using on their device.
Apps present a risk to businesses as potentially confidential data is entrusted to a third party’s security protocols. For example, employees storing data from their mobile phone have to rely only on the strength of passwords for protection, rather than robust end-to-end encryption.
Using the appropriate channels for storing information, such as an encrypted VPN that is available to employees’ mobile devices, is one step towards protecting business assets.
While most app stores vet malicious apps, a user can still download apps from third-party stores that appear harmless on the surface but contain malware. Once downloaded, these have the potential to lock users out of their device, install malware, or carry out other activities, as illustrated with the recent case of fake Pokémon Go apps.
Companies that issue a fleet of managed devices can place restrictions on what apps can be downloaded. But with BYOD, employees are free to download what they want.
By creating a separate, corporate app store on the device through an enterprise mobility management (EMM) platform, IT departments can ensure only approved apps can access corporate information, while still allowing employees the freedom to download whatever they wish to use on their device.
Just as with a PC or laptop, mobile devices are susceptible to malware attacks.
The recent proliferation of HummingBad malware on Android devices is a prime example of highly-sophisticated malware affecting mobile users.
By attaching itself to infected versions of trusted apps, it puts in place applications that generate fraudulent advertising revenue, collecting personal data to sell on along the way.
The key here is prevention rather than cure. There are many anti-virus, anti-malware and firewall products on the market which can be distributed across a whole network of corporate devices, ensuring they can protect against the latest threats.
For BYOD, EMM platforms can mitigate the risk and protect corporate data by creating a ‘wall’ around sensitive information to prevent infection from compromising data. Meanwhile, robust security policies can be put in place on an employee’s personal phone without invading their privacy or forcing too much control over a personal device to an employer.
None of these are 100% fool proof, however, so educating employees has to be a priority.
Part of this process should involve advising employees of the dangers hacking poses, the reasoning behind approved corporate channels for storing information, and clearly defining the role they need to play in securing their device.
IT departments need to be working with the HR team and heads of departments to create a corporate culture around security, and convey that the protection of company data is as much their responsibility as it is for IT professionals.
While Apple is known to have complete control over its iOS update system, the same is not true of Android, which has to rely on vendors to patch issues.
This was highlighted in the StageFright attack in 2015, which exploited weaknesses in the Android source code and allowed hackers to execute malicious code remotely.
Therefore, it is imperative that IT departments enforce a strong update policy. With a fleet of corporate devices, these can be managed centrally and updated on a regular basis – however, it is also necessary to advise employees using BYOD to ensure their personal device is up to date with the latest patches for the best protection.
There are as many solutions as there are threats in the corporate mobile landscape, but educating staff is the key to preventing the loss or infiltration of corporate data.
This needs to come from the top down. IT professionals need to be sitting round the same table as the C-suite when discussing mobile, and working closely with all departments of a business to create a ‘culture’ around mobile security.