You're probably reading this list on your phone. Mobile is quickly becoming one of the most used endpoints in the enterprise. However, there is a common misconception that mobile devices don't get malware or viruses, or need protection, which is just not true.
According to Pew Research Center studies, 85% of Americans own and use smartphones. Businesses are expanding work-from-home practices and BYOD and COPE strategies for mobile devices to enable an on-the-go workforce. While many companies have invested in mobile device management (MDM) tools, the majority of mobile endpoints still lack protections against threats like phishing, malware and mobile-OS exploits.
Here are four of the top mobile security threats, and steps IT organizations can take to protect these critical endpoints.
Have you noticed an increase in spam messages or an increase in spam calls? Phishing is one of the most common points of entry to start an attack. Phishing describes types of attacks wherein the bad actor poses as a reputable person or company, usually via email or phone call. Mobile devices hold a lot of data, including in email, text and other messaging apps.
Many organizations invest in web gateways, proxies and next-gen firewalls for security. Attackers find holes in those solutions, such as attacking via an employee's personal email and texts instead of corporate email. In 2018, Amazon's then-CEO and Washington Post owner Jeff Bezos had his mobile phone hacked after receiving a malicious video file in a WhatsApp message. A large amount of data was copied from his device.
How social engineering weaponizes phishing. Hackers can use social engineering to research users they would like to attack, looking for key attributes like the company where they work, job status, recent posts and updates. This approach is sometimes called spear phishing. That info reveals entry points for hackers to gain users' trust, usually through email or other social posts and messaging. Their aim is to get the user to share sensitive company data and information. While technology plays an important role to help proactively secure devices and users, the danger of social engineering is that it relies on human error, allowing a bad actor to infiltrate through phishing sites and malicious applications.
Phishing sites are often URLs opened from a link. These malicious URLs often look similar to an authentic site to trick users into thinking they are on the legitimate site. Phishing attackers use:
- email, both corporate and personal;
- text or a message from similar applications like Facebook Messenger, WhatsApp and iMessage; and
- social platforms like Facebook, Twitter and Instagram.
Preventive measures for phishing attacks on mobile devices. The best first line of defense is to train mobile users. Inform employees and anyone else with corporate access about how phishing attacks look. Use mobile threat defense (MTD) to help secure devices and end users from phishing attacks. MTD tools secure devices through on-device scanning and detection, using advanced algorithms and filters to prevent attacks in real time. If a device does get hacked, MTD software can quickly quarantine it, preventing potential data loss.
2. Malicious applications
Malicious apps are designed to collect personal and corporate information and transmit it to third parties.
Official app stores like Apple App Store and Google Play have many checks and balances set to prevent malicious code. Apple reviews apps and Google Play has its Protect service. However, apps are known to get through these processes. Additionally, with open mobile OSes like Android, users can install applications from other sources, increasing the exposure to malicious attackers.
How to block malicious app downloads. Companies can invest in MDM as a first line of defense against malicious apps. A properly managed device greatly reduces the potential for potential harmful app (PHA) installation. According to Google's Android Ecosystem Security Transparency Report, devices that are properly configured with MDM policies such as blocking installation of unknown applications, PHA can drop to .004%. The same goes for iOS; leveraging proper MDM configurations and DLP policies can greatly reduces the chance for rogue applications to exploit the device and OS. With MDM, the IT admin can blocklist various applications and allowlist others for the devices enrolled in the MDM system. MDM tools also have other security policies to prevent data loss. Companies can supplement mobile device management with an MTD tool for more advanced protection in real time. MTD software detects and combats malicious behavior from an app or a zero-day attack, wherein hackers exploit a vulnerability in legitimate software before the vendor can patch it. MTD tools quarantine or disconnect the device to minimize the attack's effects.
Inform mobile device users about security threats and changes to thwart both phishing and malicious app downloads. Develop a mobile device security policy so these users understand the importance of device security and how to use a device that accesses corporate data. These policies must account for all sorts of factors that users and IT admins could encounter during their workday. Include acceptable use policies, device ownership guidelines, mobile update strategy, extensions of existing security policies and more. IT admins can enforce this policy through a combination of tools and platforms such as MTD, MDM and enterprise mobility management (EMM), and soft management methods such as end-user training and documentation.
3. Insecure Wi-Fi and network spoofing
You've heard not to use "Starbucks Wi-Fi" for business. The reason is spoofing and insecure networks. Attackers can easily mimic Wi-Fi networks to intercept device traffic. Open or "free" Wi-Fi hotspots are notorious for man-in-the-middle and similar attacks where the bad actor intercepts and eavesdrops on device network traffic. The user, in many cases, does not need to perform any actions on the device for the attack to happen. For example, a smartphone connects to a known network, like a coffee shop. The smartphone will always try to automatically join a known network if it is in range again. A hacker can easily impersonate -- called spoofing -- the identical Wi-Fi Service Set IDentifier (SSID), which is the network's name. Hackers use this method to collect company information undetected by the mobile device user.
How to stop network spoofing. IT organizations can use MDM to enforce Wi-Fi policies on corporate-only and BYO devices, including allowlisting certain SSIDs. Additionally, an MDM can enforce data loss protection and encryption policies to secure mobile devices. Businesses can also supplement an MDM setup with an MTD tool for more advanced detection of malicious behavior, like man-in-the-middle attacks.
4. Poor update habits for devices and apps
Keeping endpoints and applications updated is one of the best ways to ensure company data and information is secure. Updates and patches fall under the category of cyber hygiene, along with complex passwords and multifactor authentication. Unpatched devices and applications often contain exploits and vulnerabilities that attackers try to use to collect personal and corporate data.
How to stay up to date. Both Apple and Google publish updates to patch security vulnerabilities and exploits to prevent future attacks, limiting the potential for zero-day vulnerabilities. For Android, Google has started publishing monthly security patches that other device manufacturers can implement for their customers. Apple is also proactive with multiple mobile OS updates a year, ensuring devices are secure. Companies can enforce device update policies, as well as manage application updates, via an MDM tool.