Mobile devices like smartphones and tablets have become ubiquitous in both the personal and professional spheres. Often there is overlap between the two – checking the work email from home on the weekend is not uncommon these days. In 2016, mobile browsing overtook desktop internet use for the first time. If anything, it’s an indication that smart devices aren’t going away. It begs the question: if smart devices are so common, why don’t we worry about their levels of security? Desktop computers are associated with anti-virus software and automatic password updates. The same cannot be said for mobile devices. This article is all about exploring the risks that a lack of mobile security can have on businesses. We’ve included some steps you can take to reduce those risks as well.
Threats to mobile security
Third party applications downloaded through official app stores or directly online are often the gateway for hackers to gain access to mobile devices. They are by no means the only access point. The methods vary and the consequences do, too. Some hackers set out to steal sensitive data to on-sell, while others steal to gain a competitive advantage. Data can be encrypted maliciously until a ransom is paid to retrieve it. Here is a list of the most common ways a mobile device can be compromised.
Malware installation
This can occur by downloading an innocuous looking app that contains malware hidden inside its code. It can also come about by users clicking malicious links or Remote Access Trojans (RATs). These arrive as text messages disguised as security updates or verification codes. Some malware forces a pop-up window in front of banking apps that mimics the log in screen. If it goes unnoticed, full login details are given to hackers without a second thought.
Phishing emails
Mobile users are much more at risk of phishing emails than desktop users. Phishing emails mimic authentic emails sent by reputable companies. Encouragement to pay invoices or ‘click here for more information’ lead to security breaches and data theft. Mobile users are more vulnerable because the smaller screens can obscure any potential red flags, and often mobile users have divided attention, which means they may miss warning cues.
Data leakage
This is another area of risk that comes with downloading apps without due diligence. When installing apps, it’s common to click through a number of permissions before being able to access the functions. The trouble is, these permissions may allow for data mining. The data from the device (which could be personal or corporate data) is sent to remote servers. This collated data can be bought, sold or stolen by criminals and advertisers alike.
Ransomware
Ransomware attacks are becoming more common and have been making headlines due to their effectiveness at disrupting various large companies and institutions. It is still reasonably uncommon for mobile devices to be held to ransom by this disabling style of malware but incidences are said to be on the rise. You can easily identify a ransomware attack as the device will become unresponsive and unusable, and a ransom message may be displayed on the screen.
How to increase mobile security
The methods of protecting mobile devices are much the same as those for desktop computers. A combination of education, policy and monitoring should help to reduce the risks.
Educate employees
Many malware installations occur when employees are unaware of online risks and threats. Simple steps can have a large impact on risk reduction.
- Knowing how to identify phishing emails is critical as many breaches come through this medium.
- Don’t click on links in unsolicited SMS messages. Verification SMS will usually contain a code to be entered into a field on an open browser.
- Don’t install third party applications on company devices. The risks may appear small but this is the fastest way to install malicious code onto a device. It’s also a flexible gateway, as many different risks are able to be ferried in.
- Avoid connecting to unsecured wifi networks, especially if it asks users to create a free login. Unsecured networks are particularly vulnerable to hackers (and may have been established by hackers). Creating a free account impulsively often draws users to input a commonly used password. Once hackers have this, it’s often very easy to test this password against other logins and gain unlimited access to confidential data.
Enforce policies
Some of these modifications can be set by your IT support team before allocating devices to employees. Other ideas may need to be created and filed away for times when a quick response is required.
- Install anti-virus and anti-malware software on mobile devices. This applies to both Android and Apple devices. Email scanning may be an additional option.
- Require passcode authentication (and biometric authentication where available). This limits incidental access to the device.
- Change settings to hide messages on lock screen. This should stop casual eyes from seeing sensitive emails or messages without unlocking the device.
- Allow automatic patches and updates, or require immediate installation by users. This is critical to avoid leaving signposted gateways for hackers to exploit. If automatic installation is not available, require employees to act on update notifications straight away.
- Restrict physical access to devices. Assign devices to individual staff. If an employee resigns, the device must be forfeited and all remote access to company files must be disabled.
- Monitor device usage to ensure inappropriate content is not being engaged with, including suspicious or known vulnerable websites.
- Create an incident response plan for the times when a device goes missing or is stolen. If a plan is in place to disable the device remotely (also known as ‘bricking’ a device) it should be simple to follow a procedure. This will quickly limit access to sensitive data and contacts.
About Mustard IT, Your Mobile Security Partner
Mustard IT provides comprehensive IT support, education and training in all areas of mobile security. Our trusted team are experienced able to explain complex issues to you in a language you’ll understand. Contact us today to find out how we can help you.