Mobile devices have made it possible for employees to work and communicate from just about anywhere. But that convenience comes at a price. The rise of mobile devices and the rise of mobile security threats have gone hand-in-hand. Mobile devices like phones, tablets, and ChromeOS devices present an incredible vector for phishing, social engineering, and malware distribution — and threat actors are keenly aware of that fact.
If a threat actor compromises an employee’s mobile device, the fallout could affect your entire organization. More than 90% of employees use personal devices for work purposes, meaning that a single ill-gotten password could give an attacker access to a wealth of sensitive resources.
To protect against potential cyberattacks, you should understand how threat actors target mobile devices, learn proven ways to mitigate these risks, and implement effective security measures to counteract the threats.
7 Top Mobile Security Threats to Guard Against
Smartphones and tablets are versatile tools, and modern mobile security threats are equally versatile. Threat actors can compromise mobile devices through phishing, malware, social engineering, other networked systems, or even physical theft. Any one of these methods could threaten both individual and organizational data.
1. Mobile phishing scams
Most readers are probably familiar with phishing, where a threat actor impersonates a trusted entity to glean compromising information. Attackers often want passwords, banking details, or social security numbers, but they could also be after organizational data. Impersonating a boss or coworker and asking for sensitive information is a tried-and-true social engineering trick.
Smartphones make phishing easier to pull off for threat actors, and harder to spot for potential victims. Email is still a common vector for phishing, but attackers can also leverage SMS messages, chat services, social media sites, dating applications, and even QR codes. Furthermore, phishing scams that are obvious on a computer may be hard to spot on a mobile device. Smaller screens and less detailed interfaces make it more difficult to verify a sender’s identity.
2. Risky and malicious apps
Some apps request permissions well beyond what they actually need to run, then harvest clerical details and metadata from unsuspecting users. Others can actually steal sensitive information or install malware. These apps can deceive even experienced users by mimicking safe, well-known programs.
Employees who download unvetted apps on a company device or personal device with access to company information may introduce potential cybersecurity risks. This is a common issue associated with “shadow IT,” or the use of unauthorized apps at work.
3. Device theft and data breach risks
Stealing a desktop computer in a company office is relatively difficult; stealing a smartphone in a crowded restaurant is relatively easy. Some device thieves simply want to wipe phones and tablets before reselling them. But others want to extract any valuable information from the gadget first. That information could easily include company passwords or documents, either in phone storage or an easily accessible cloud app. Furthermore, imitating someone via email or SMS is trivial if an attacker has their phone in hand.
4. Operating system and app vulnerabilities
No operating system is perfect. Security researchers find new vulnerabilities in Android and iOS, and the apps on each platform, every month. (And that’s the best-case scenario — sometimes, threat actors find those vulnerabilities instead.) Most of the time, Google, Apple, and other developers patch these vulnerabilities before attackers can exploit them. But users often have to download these patches manually, and they don’t always do so in a timely manner. This is particularly troublesome in bring-your-own-device (BYOD) workplaces, as administrators rarely have direct control over personal devices. Additionally, employees might own outdated hardware, which won’t receive any new security patches.
5. Network threats
Even if an employee locks down their phone, downloads patches as soon as they’re available, and eyes every new message with suspicion, there are other ways to compromise a mobile device. One common method is a man-in-the-middle attack, where a threat actor acquires data while it’s in transit. Public Wi-Fi networks and unsolicited Bluetooth connections are common attack vectors. Even encrypted files are not totally safe from man-in-the-middle methods, as threat actors can often find the decryption key on the same machine that sent the file.
6. Weak passwords
Using weak passwords anywhere is a problem, and that’s doubly true for mobile devices. If a thief gets their hands on a mobile phone, an easily guessable PIN or password may grant them full access to the device. Weak passwords on Wi-Fi networks can provide a clear window into mobile device traffic; weak passwords in iOS or Android accounts make it easy to install shady apps remotely; weak passwords in social media apps make it easy to impersonate an employee. If your username or password has ever been involved in a data breach, it’s time to change it.
7. IoT device vulnerabilities
“Smart” devices are often anything but. While Internet of Things (IoT) gadgets don’t usually contain much sensitive data, they can serve as excellent gateways into otherwise secure networks and devices. Furthermore, since IoT products come from so many different manufacturers and employ so many different connection protocols, it can be difficult to determine which ones are reputable, if they have any existing vulnerabilities, and how often new patches come out.
Take Charge of Your Mobile Security Measures
Educate users on common mobile security threats
One of the best ways to protect mobile devices, and your organization’s data, is to teach your staff about common mobile security threats. Show them what a phishing message looks like. Suggest that they visit the App Store or Play Store today, and see how many of their apps need updating. Ask them when they last changed their password, and whether that password was any good.
Employees should also have a clear procedure for reporting cyber threats to either IT or a dedicated security team. There should be methods for logging suspicious emails, as well as SMS messages, chat requests, and even phone calls.
Create common sense BYOD policies
Employees are going to use their own devices for work, whether you want them to or not. Rather than trying to ban personal devices outright, work with your employees to create smart, reasonable BYOD policies. To enhance BYOD security, you can limit sharing of sensitive data, containerize cloud apps, and monitor user behavior for irregularities. Of course, the best thing you can do is teach your employees how to recognize and avoid common threats, touting the benefits if they do and the consequences if they don’t.
Safeguard sensitive data
Depending on what your organization does, your employees may not actually store much sensitive data on their mobile devices. However, they almost certainly have access to your organization’s cloud services, such as email, file storage, and employee directories. That’s a gold mine for potential threat actors.
A data loss prevention (DLP) solution can be especially helpful here. These technologies can track how your employees access, store, and share data, and flag any irregular patterns. A good DLP program can monitor these patterns on mobile devices as well as desktops and laptops.
Go beyond one-time authentication
One-time authentication grants users access to apps and services as long as they have the correct credentials. This is convenient but presents a number of potential cybersecurity holes. With stolen devices or credentials, threat actors could easily log into an employee’s account and stay there undetected for weeks or months.
A zero-trust approach is a safer alternative. Zero-trust systems require frequent logins, strong multi-factor authentication (MFA) protections, and secure internet connections. A zero-trust architecture also requires organizations to continuously track the changing risk levels of users and devices to determine whether they’re accessing sensitive data in a responsible manner.
Implement comprehensive mobile endpoint security
A mobile device management (MDM) solution for your corporate-owned mobile devices is a good place to start, but an MDM may not provide enough protection by itself. While MDM systems can track and monitor mobile devices, they can’t detect threats or prevent real-time attacks. They also can’t secure BYOD devices.
A mobile endpoint detection and response (EDR) solution can complement an MDM and fill in the gaps. A good mobile EDR program can integrate with your existing MDM systems and will enable you to manage and apply security policies on both managed and unmanaged devices.
Take advantage of mobile threat intelligence
Mobile security threats are constantly evolving, which means your countermeasures have to evolve as well. Lookout Threat Intelligence is a great resource for learning about the latest trends in phishing, vulnerabilities, malware, and more. Understanding the latest threats is the first step toward devising effective mitigation strategies.
Implementing Comprehensive Mobile Device Protections
Mobile devices are a part of your organization’s everyday workflow. Whether company-issued or employee-owned, smartphones and tablets can access, modify, and share sensitive data. That’s why your organization needs to safeguard mobile devices with the same diligence as it would desktops and laptops.
Lookout Mobile Endpoint Security can help. Our comprehensive software package provides scalable EDR protection for Android, iOS, and ChromeOS devices. This service also helps protect employees from phishing attempts, malware distribution, and unsecured network connections.
For a useful primer on the subject, download The Mobile EDR Playbook: Key Questions for Protecting Your Data from Lookout. This e-book discusses how mobile devices factor into your overall cybersecurity strategy, as well as how to mitigate common mobile risks. With the right information at hand, you can make your company’s mobile devices an asset rather than a liability.
Blog courtesy of Lookout. Regularly contributed guest blogs are part of MSSP Alert’s sponsorship program. Read more Lookout news and guest blogs here.