Our mobile phones follow us almost everywhere.
Cyberattackers are rarely far behind. With more and more devices used for work, hackers are profiting from a proliferation of end points, scraping passwords, data and cash from the unwary.
Research from Verizon suggests that around one in four companies have been compromised through mobile devices in the last year. At the same time, over two-thirds of respondents said the risks associated with mobile devices had increased.
Yet many organisations aren’t taking the threat from mobile seriously enough – 45% said they had sacrificed mobile security to get the job done, and mobile devices are often treated as a lower cyber priority than laptops or networks. Here, we explore the risks companies are opening themselves to, and look at the best ways to keep mobile devices secure.
Why mobile devices are a growing risk
The ability to work remotely and to bring your own device into the office has brought many advantages, and can offer flexibility for both organisations and employees.
But this trend has downsides. A mobile device may have the same high-level access to networks as an office desktop, but it will rarely offer the same level of security. And with the rise of the Internet of Things (IoT), the range of networked devices is exploding, with cyber struggling to catch up. All these end points offer entry points to your network, and incursions are notoriously hard to detect on mobile devices. The result? Hackers have a foothold from which to move deeper into your systems, stealing data, siphoning cash and launching ransomware attacks. These are the key ways cybercriminals hit mobile devices.
Mobiles are the front line of social engineering attacks
Phishing (via email) and smishing (via text) aim to trick employees into handing over passwords or downloading malware. Mobile devices are especially vulnerable because:
They’re always on, meaning they see a lot of traffic
Users often use their devices before and after the work day, when they’re less alert
Smartphones encourage rapid, real-time responses that can play into the hands of scammers – who often rely on urgency to sucker their victims
Less information is displayed on smaller device screens, meaning spoofed domains and websites may look more convincing
The best defence: Awareness training can help employees spot scams, while zero-trust policies or data segmentation can limit the amount of data hackers can get their hands on. Tracking unusual user behaviour will also help your organisation spot incursions.
All apps are not created equal
Everyday apps can be more dangerous than malware. Hundreds of applications may be stored on the same device as corporate accounts. And if your employees are like most members of the public, they’ll barely scan the permissions list at installation. Many apps request access to files and folders, track geodata and more. The results may be stored on remote servers or shared with advertisers.
Some dodgy apps may contain malware, while others have minimal security, making it easy for hackers to use an unprotected mobile app as a back door into the user’s phone, and by extension, your organisation’s data.
The best defence: Mobile Application Management (MAM) tools allow cybersecurity departments to manage corporate apps on employee devices. Employees should also be encouraged to keep their apps and operating systems up-to-date.
Unsecured public wi-fi is anyone’s game
Public wi-fi in cafes or shops is usually legitimate – but you have no way of telling whether it’s encrypted or secured, or whether it’s a spoofed network set up by data-hungry criminals. If employees are accessing your servers via public wi-fi, your passwords and data are at risk. And if they use the same password across several accounts, a harmless browsing session could lead to serious leaks.
The best defence: Employees should use a VPN or end-to-end encryption to access company systems to ensure security. Education is key – no one should use confidential services on unsecured wi-fi.
Look out for spyware – because it’s got its eye on you
Spyware usually lands on devices when a user clicks on a malicious ad or via a phishing scam. But it may also be installed by spouses, employees or anyone they may share their device with. Whatever the spyware’s origin, its game is data-mining – and that may include sensitive company data.
The best defence: Mobile security apps can keep tabs on spyware, and keeping operating systems and apps up-to-date will help protect your device.
Lost or stolen devices can open you up to a breach
Mobile devices portability is their greatest strength, but it’s also a serious vulnerability. It’s not often you leave a desktop machine on a coffee-shop table, or poking invitingly out of your back pocket. This brings obvious risks, especially if the device isn’t appropriately secured. Research by password manager Nordpass found the most common password in Australia in 2021 was “123456” – one of many passwords that can be cracked in under a second.,
The best defence: Making Multi-Factor Authentication (MFA) mandatory for company apps will make it harder for hackers to access your organisation’s data. The Australia Cyber Security Centre (ACSC) has guidelines on safe passphrases. Mobile Device Management (MDM) allows you to secure or delete data from a lost or stolen device, while effective session management can prevent thieves accessing active applications. Training can remind employees what steps to take if they lose their device.
Managing the risks of mobile devices
As we’ve seen, mobile devices are an increasingly important attack vector for cybercriminals. Phishing, third-party apps, unsecured wi-fi and lost devices can all result in serious data breaches. Most of us glance at our screens hundreds of times a day, and hackers are keen to turn those interactions to their advantage. As the IoT spreads and remote work becomes more normalised, the danger is increasing.
Thankfully, you can significantly reduce this risk. Clear device policies, encryption, multi-factor authentication and targeted awareness training are key measures in the fight against mobile cybercrime. Above all, mobile security needs to be treated as an important part of a wider cybersecurity strategy that helps you set threats in context, and stay abreast of the latest trends in cyber.