Mobile security is an important link in the security chain, where employees without a proper security awareness training could simplify access to corporate data for attackers, due to the increase of mobile devices usage, both personal or provided by the company.
In general, there are two possibilities to compromise a smartphone. The first one is by gaining access to the physical device, statistics show that there are still users who might skip the step of setting up a lock screen, unless it is required by certain applications, such as Outlook. The second method of compromising a device is via outdated or vulnerable software. Due to this, security specialists always recommend performing updates as soon as they are available, as they often contain important security patches.
Additionally, the usage of Public Wi-Fi networks (such as the ones from hotels, restaurants, cafes) has its own risks. Even though not all of them are insecure, the general recommendation is to never perform sensitive actions (such as accessing corporate data or performing financial transactions) over unfamiliar Wi-Fi networks. You might connect to a rogue/fake access point, and you might not even realize it. Data leakage is one of the most dangerous threats to both personal and corporate security, hence why it is important to not trust any Public Wi-Fi networks.
This revolution in the world of work involves behaviors that some employees may have, such as:
Mobile users are at a greater risk of falling for phishing attacks, as certain mobile clients might display only the sender’s name. Moreover, threats are not present only on the email: The security firm Wandera noted in its latest mobile threat report that 87% of phishing attacks over the past year took place outside of mail — in text messages, social media services and games. Phishing schemas are becoming more and more convincing, as attackers are diversifying their methods. For example, according to the same report, in 2020, 7% of mobile phishing attacks now contain Punycode.
Another aspect where we recommend the users to pay attention to, are the permissions that an application is requesting.
These are various mechanisms that a malicious actor has at his/her disposal to compromise a device, especially when vulnerabilities exist (both known or zero-days) and from there can pivot within corporate networks, especially if there are no adequate security checks (for example, a Threat Hunting or Deep Packet Inspection).
Among the most serious risks that a company can be exposed to when it comes to personal mobiles phones usage are:
To minimize the risks when employees use their smartphones for work (the so-called BYOD, “Bring Your Own Device”) it is necessary on the one hand to keep them constantly informed of the evolution of threats, to ensure that they make correct and responsible use of the devices, and on the other it is essential to have a mobile device management solution for the centralized management of the devices used by employees.
Read more about Enea’s Cybersecurity Services here.