Top 10 Enterprise Mobile Threat Prevention Tactics
In its 2021 ”Mobile Security Index” report, Verizon explains how the rapid uptick in remote work — and consequently mobile device use for jobs — challenged companies. The COVID-19 pandemic struck quickly, leaving little time for companies to adjust to remote work.
"This led some to cut corners, including on security," Verizon says in the report. "Nearly a quarter (24%) of respondents to our survey said that their organization had sacrificed the security of mobile devices to facilitate their response to restrictions put in place due to the pandemic."
How can businesses and individuals manage the barrage of attacks facing their employees and mobile devices? The following 10 threats and preventive measures cover the main threats and ways that companies can defend themselves and their data from breaches and cyber crime.
Phishing techniques have developed over the past decade, and some of these scams also took advantage of the increased reliance on mobile devices during the pandemic.
Attackers have preyed upon COVID-19 threats to perform phishing attacks, according to Sophos product manager Tom Walsh.
"A particularly menacing mobile attack Sophos has seen recently is attackers using social engineering to take advantage of the COVID-19 pandemic through fake contact-tracing apps," Walsh said. "When installed, these fake apps turn out to be malware packed with various malicious capabilities, including access to messages and phone calls and the ability to steal credentials."
To better avoid phishing and fake applications, avoid any apps or requests for contact tracing in which you don't truly need to participate. That can help you both avoid cybercrime and giving out personal data.
Only download applications that you've vetted, by reading reviews or talking with others, and stick with the Google Play and Apple App Store.
2. Texting and social engineering
Social engineering takes many forms, both physical and technological, and mobile social engineering includes text messages from sources masquerading as legitimate vendors.
Bitdefender's director of security research, Alex "Jay" Balan, described a mobile threat from attackers exploiting the increase in package deliveries.
"Be on the lookout for text messages saying things like, 'Your [online shop] package couldn’t be delivered due to a problem with your payment processor and is currently being held for delivery. Please update your payment information [phishing link mimicking the online shop] in order to continue processing the delivery.'"
Mobile devices make it harder for users to identify mobile social engineering. They can't, for instance, hover over links on a phone like they can on a computer. Ways to avoid the urgency applied by cyber criminals include:
- Never clicking on a link in a text message that comes from a number you don't recognize
- Deleting texts from sources you don't know
- Verifying messages about "orders" directly with the company you purchased from
3. Malware and Trojans
Malware and Trojans typically come through downloading malicious software or attachments to mobile devices. Once on the device, malware and Trojans can steal personal information.
Financial Trojans come from programs the user gives permission to install on a device. They infiltrate the device and observe and record bank account details when the user logs into their bank account from the device.
Trojans pose a danger to businesses, particularly if employees use the company bank account through their mobile device. Some companies allow or even require employees to make quick financial transactions from their personal devices while on the go.
To prevent malware and Trojans, download antivirus software that monitors your mobile device's system and all new downloads, especially if you're using the device to make company financial transactions. Also don’t download attachments or software that come from unconfirmed sources or unsecured websites.
4. Open Wi-Fi networks
Open Wi-Fi networks, which don't require a password, are dangerous for business users. For mobile device owners who are conducting business and accessing company applications, an open Wi-Fi network provides a gateway for a criminal to perform a man-in-the-middle attack and view the ensuing online session.
Avoid open Wi-Fi networks whenever possible, and if you can't avoid them entirely, don't log into accounts with sensitive company data or perform financial transactions. Using a virtual private network (VPN) is another way to avoid your session being detected on the main network. You can also use a Wi-Fi network with a password.
Firas Azmeh of security firm Lookout shared some basic steps users can take to shield their personal information, including “being aware (and selective) about the data they share online and also by enabling security tools that prevent phishing attacks, password/account compromise and other mobile threats that result in identity theft."
5. BYOD policy avoidance and careless application use
Strict bring your own device (BYOD) mobile policies, even ones that enforce password rules and two-factor authentication, require greater accountability for employees.
Establishing zero-trust architecture is important for workers that access multiple work applications from their mobile device: Requiring login credentials for each account can keep an attacker from moving through the network after accessing a device.
Verizon's “Mobile Security Index” report reinforces the importance of structure in BYOD security: "A zero-trust approach is ideal for a BYOD program. It can reduce the reliance on end users making informed and security-conscious decisions."
Simply training employees on security and compliance can also make a great difference: The more aware workers are of the threats that surround them and the more frequently the organization repeats them, the more likely they'll be to at least think twice about engaging in careless device use.
Download apps only from the Google Play Store or Apple App Store. If you don't recognize the name of the app or it makes a promise that sounds too good to be true, vet the app through research and ensure that others have used it with success.
6. Physical device loss
Physical breaches are one of the primary threats to companies that have gone mobile during the pandemic. Attackers have easier access to data on a device when it's in their hands.
To prevent data theft from a lost device, invest in software, such as mobile device management (MDM), that allows companies to remotely shut down a device. All devices also should be password protected.
Employees with company applications installed on their mobile devices should not let strangers access them, such as giving their phone to a passerby to take a photo, and keep their devices with them at all times, including in coffee shops and restaurants.
7. Applications with too many permissions
Many legitimate applications simply are allowed to take too much data from the mobile device on which they're installed. It might be one of the most popular and secure apps on the market. But if it's given too much leeway on a device, it can endanger other data that’s stored.
To prevent applications from stealing data from your device, set stringent permissions for any applications, and limit the data they can collect while they're downloaded.
8. IoT devices
The Internet of Things (IoT) connects all smart devices to the surrounding Wi-Fi network. Within a corporation, that network often also allows employees to access company data. Smaller smart devices differ from phones and laptops in their security controls and operating system (OS) updates: They don't always provide the same authentication measures, and not all of them are patched and updated.
Even IoT devices that do receive patches and updates still pose a risk to enterprises if they collect data for or from company databases. Centralized architecture expands the range of devices and data that can be accessed in an attack, according to Trend Micro.
"A centralized architecture means that the data gathered by each device and sensor will be communicated to a base station. In an enterprise, the main database could be the very same one used by thousands of devices that gather an astonishing amount of data," says Trend Micro on IoT attacks.
Although a single database initially may be more affordable, it exposes more enterprise devices and data to exploitation. To protect company data, organizations should use multiple databases and only connect company databases to IoT devices that are specifically vetted for secure enterprise use.
Another solution to protecting a company’s internal network is having two different Wi-Fi networks — one for only company devices and one for employees' personal phones. Restricting BYOD policies could also include forbidding smaller smart devices, such as watches, from being on the same network as a company-used device. Then an attacker cannot move laterally to the main company network after they access, for instance, an employee's intelligent space heater.
9. Password mistakes and stolen credentials
Employees often share passwords to help each other access accounts, but giving out passwords is dangerous. It increases access to sensitive data, including via mobile devices, and removes some of the security that passwords provide.
Company accounts should have strong, unique passwords. Password management software, such as Lastpass or 1Password, can help companies manage and safely share passwords, rather than unsecurely sending them through direct message or a written note.
Companies should also operate on a least-privilege access system. This method of restricting sensitive data only gives employees access to the applications and files that they absolutely need to do their job.
10. Devices that are old or aren't updated
Some of the oldest mobile devices in use, such as phones from years ago, can no longer receive the latest operating system updates, and devices that don't have the latest security and patches can be more susceptible to attacks.
It's difficult, and not always financially feasible, for all employees to have new devices, but companies can reduce risk by limiting the applications and permissions on older devices. And any other devices should be regularly updated.
Using only encrypted transmissions of data and encrypted web pages can also help older mobile devices avoid basic security vulnerabilities such as session hijacking.
Staying ahead of mobile attacks is one of the biggest endpoint challenges for enterprises. Because mobile devices are so much more flexible and simple to use, they're also a target for hackers.
The COVID-19 pandemic created more opportunity for attackers to exploit the increased use of mobile devices, whether for ordering packages or food, performing contact tracing or working from home. Overloaded with other concerns, IT teams struggled to meet the demand for greater security.
In 2021, businesses can focus on managing employee device usage at work and BYOD policies that help enforce mobile workplace security. Employees will also benefit from training that informs them of typical phishing and other social engineering attacks, explaining how those happen and increasing their awareness through repetition.
For devices such as IoT hardware, enterprises should exercise extreme caution when installing them within the company's network and consider limiting which Wi-Fi networks and other corporate devices they can access.