Top 10 Mobile Security Threats for Enterprises
The COVID-19 pandemic required many workers to begin performing their job duties at home, and this often meant employees used personal mobile devices for work calls, data access and financial transactions. IT teams weren't prepared for the increased security threats from the broader use of mobile devices for work.
Mobile devices already posed enough of a danger to users before the pandemic and the work-from-home push: smaller screens, which show less information about applications and sources; the availability and proliferation of third-party applications, and the psychological effect of instant notifications create an environment that makes it easy to trap unsuspecting people.
The following 10 mobile security threats, based on recent research, industry findings, and responses from security experts, are the main causes of mobile device breaches, infections and data loss. They threaten both individual device owners and businesses.
Phishing is one of the major cybersecurity threats for both individuals and businesses, but it is even more concerning for mobile users.
Normal protective practices to avoid phishing — like hovering over links to see the true URL or easily eyeing the sender's email address — are much more difficult to do on mobile devices. Small screens make identifying phishing more difficult.
Users are also accustomed to quickly clicking downloads or following URLs on their phones through their usual apps, including social media platforms. The caution employees might otherwise exercise on a company computer decreases when it's their personal device.
2. Texting and social engineering
Text messages are another source of mobile attacks, and they're one of the most dangerous, according to Lisa Ashjian, the lead product marketing manager at AT&T Cybersecurity.
"Mobile phishing through SMS, social media, messaging platforms and other vectors is one of the largest threats for mobile," Ashjian said.
Most mobile users are so accustomed to responding to messages and clicking linked items that they may not stop to consider a text-based social engineering scam.
Social engineers know that mobile users trust most of the sources sending them messages and can make an untrusted source look reliable.
"Cyber criminals leverage how mobile users interact with messaging and other communication capabilities on their devices and exploit those vulnerabilities," Ashjian said.
3. Malware and Trojans
It's easier to click links or advertisements on the smaller screen of a mobile device, and it's also more tempting to select choices on a phone while in a rush or working on the go.
Mobile devices make identifying suspicious websites and ads more difficult, and unsecured websites and fraudulent downloads can install malware on the device.
Financial Trojans are another harmful method for stealing personal bank account and card details. A mobile user downloads software or an attachment on their phone and installs a program that can then infiltrate their mobile system and record financial information when the user logs into their bank account.
Kaspersky researcher Victor Chebyshev clarified how Trojans get around authentication measures.
"Banks will send two-factor authorization code to a card owner," Chebyshev said. "However, he will be still infected, and the Trojan will intercept the SMS message with the code and will send it to cybercriminals."
A Trojan's ability to infiltrate a system once downloaded allows it to bypass typical security checks.
4. Open Wi-Fi networks
Free public Wi-Fi networks, though useful for quickly performing tasks or making a web search, are dangerous, because they more easily allow attackers to hijack an internet session.
Some Wi-Fi networks also remember your mobile device after you've only been to the location once, so when you return, your device automatically connects to the network, and you risk your browser session being observed each time.
Man-in-the-middle attacks are one of the most common ways that attackers spy on an internet session. Malware-ridden advertisements, once clicked, allow attackers to see the ensuing web session and potentially steal account credentials. Connection hijacking is another attack that reveals a device's current internet session ID to a hacker.
Open Wi-Fi networks are dangerous for business data, because an attacker could access information from any account or web application the mobile device uses during the session being watched.
5. Careless mobile device use and BYOD failures
Many companies formally permit employees to use their personal mobile devices for work, including under a bring your own device (BYOD) policy. While supplying company-owned laptops, tablets and smartphones allows businesses more control over how employees handle workplace information, it is more difficult to manage their personal devices.
Employees often disregard simple mobile data protection tactics such as a four- or six-digit password or using a variety of account passwords rather than the same one for all logins.
Careless mobile device use also includes logging in to unsecured websites or downloading suspicious files to a phone that also accesses company accounts.
6. Physical device loss
A device breach is often easiest to achieve when the attacker has the hardware in their hands. If it's not password protected, the attacker can access any company platform the user can access.
Mobile security experts consider physical device loss to be one of the most immediate and dangerous threats to users.
Even if a mobile device is locked when stolen, it can still be hacked, and attackers could access sensitive data. Lack of encryption can also increase the risk of data theft.
7. Applications with too many permissions
This applies to both legitimate apps and suspect, malware-ridden ones: Mobile applications that are allowed to roam free on a smartphone have more opportunity to exploit company data.
If unchecked, applications generally collect a large amount of data from phones, which could include company data, such as phone calls and transactions.
Applications from app stores outside of the Google Play Store and Apple App Store also pose a greater risk. Some of these applications, once downloaded, can install malware on a mobile device. Some advanced malware-ridden applications can also make it past the major app stores' constraints, according to Bogdan Botezatu, Bitdefender's director of threat research and reporting.
"Malware creators have increased the level of sophistication for malware to bypass the safety mechanisms in place on the Google Play Store and target relevant victims rather than chasing any user who downloaded the app," said Botezatu, noting that one such recently discovered app had been available through Google Play since 2016.
8. IoT devices
The Internet of Things (IoT) is a largely untapped world thus far, despite how many devices are already connected through Wi-Fi. All the unknowns are what make it so dangerous as well as the difficulty of requiring authentication for smaller devices like sensors and refrigerators.
Businesses are already using IoT devices without properly securing them, according to the device security company FirstPoint.
"A steady rise in commercial and corporate IoT use has led to a growing number of poorly controlled IoT devices on business networks just waiting to be exploited,” FirstPoint says. “These are then manipulated by botmasters, who then use these compromised devices to launch attacks and compromise even more devices."
Botnet attacks are a threat to corporate IoT devices, which often don't have the means to defend against the malware that a bot can use to overtake a system of network-connected devices.
9. Password mistakes and stolen credentials
Unwise decisions at work, particularly regarding account logins, can lead to costly breaches. Mobile applications frequently keep users logged in longer than do browser-based accounts, which could mean that an application isn't password-protected when an attacker breaches a device. Employees often stay logged into an application for multiple sessions.
Most security training requires that employees do not share passwords with each other.
If a password must be shared within an organization, directly permitted by leadership, it should be done through a password vault, not through plain-text messages or handwritten notes.
Password availability makes it easy for attackers to slip into an account once they've breached a mobile device. A hacker can more easily discover a handwritten or emailed password than one shared through a secure password manager. They can then access one or multiple password-protected accounts.
10. Devices that are old or not updated
Not every old mobile device may pose a security risk, but attackers could use an older operating system (OS) — one that hasn't been patched or received the latest security update — to infiltrate a device.
Hardware in IoT networks, such as sensors, smart watches and home systems, isn't designed for regular security patches.
"They don’t generally come with guarantees of ongoing and timely software updates," Cybint Solutions says.
Mobile devices that can't be updated pose an infiltration threat for private corporate networks.