More and more small businesses are offering mobile devices to their employees as a means of increasing productivity and improving efficiency. It should not surprise you that these devices, and those belonging to the employees, pose a potential security risk to the network infrastructure. One survey found that 45% of businesses do not have a policy or plan to provide IT support for these devices. Businesses need to acknowledge the threat that mobile devices pose and take preemptive action to avoid the costly downtime, diverted resources, loss of data, and damage to the company’s public image that a malware attack can cause.
Computers are getting better and better at detecting malware. Security software is updated constantly with known attacks and users are more educated on the source of digital attacks. Simultaneously, hackers are getting better and better at tricking or bypassing internal controls. In August 2016, we referenced one piece of malware that hid in image files from online advertisements and went undetected for months. While this threat has been identified and neutralized, there are ever-more inventive ways that hackers are accessing the personal and corporate data that exists on servers across the globe.
Mobile devices pose a potential security hole since few users have any type of security software on these devices. You may be scratching your head and saying, “I’ve never gotten a virus on my phone…” and you are most likely correct in that assumption. Phones typically do not get viruses. They have some inherent security measures that work pretty well. For example, since the majority of mobile downloads come from a trusted source (i.e. Google Play or the App Store) the risk of downloading a virus is minimized.
So, why are you reading an article about mobile security threats if these devices don’t get viruses? Semantics. A virus is a malicious code that replicates by attaching to another program and often disrupts the performance of a computer or program. “Virus” has come to be a general term used for all malicious software, but this is a misnomer. It is actually the term “malware” that is used to describe malicious code and a virus is just a form of it (just like a poodle is a dog, but not all dogs are poodles).
Malware is distributed by hackers that usually seek a monetary benefit. This can come directly from scamming money from the user or by mining the data and selling it to 3rd parties. Piggy backing on a mobile device until it connects to a secured network is a pretty appealing way to access a business’ data.
So where would a phone get malware? Your chosen browser is the most likely source. Users will sometimes cruise the internet in search of free apps and many of those come with malware attached. Even if you are only downloading from trusted sources, there are ways for sites to initiate a download without user intervention. QR codes, which have become a wonderful way of connecting mobile devices to information, can be a source of malware, too. Additional security holes are opened up when a phone is “jailbroken” and mobile devices from outside of the United States are far more prone to malware than those sold within the United States.
What can you do to mitigate the risk?
1. Start by creating a written policy for mobile devices. The purpose of the policy is the first thing to write down. Is your main goal to protect your customers or comply with regulations? You should then enumerate which mobile devices will be carrying data and examine the origin, use, and sensitivity of that data. Identify the mobile threats associated with each device. Decide which devices will be encrypted and how. Decide on the scope of your policy – Do all devices need to abide by this policy or only company-issued devices? TechTarget has a great article on writing a mobile device security policy.
2. Get a Security App on every device. If you provide your employees with devices, then ensure that a security app like Lookout, Norton, or McAfee has been installed on the device. Don’t rely on the end user to do this. Be proactive and your IT company secure every device before it is distributed. If your policy includes employee’s personal devices, then encourage them to bring in their device to be secured or have everyone download your chosen security app at the next big meeting.
3. Enable a mobile device’s lock screen. The biggest and easiest security hole to avoid is the unlocked phone. Requiring employees to have a PIN, password, fingerprint, etc. on their lock screen can avoid loss of corporate data if the phone is left in a public place. Keep in mind that there may be loopholes within the device’s software that allows hackers to bypass the lock screen altogether.
4. Encrypt company devices. If your company deals with especially sensitive data, then this is a solid solution. As mentioned, the lock screen is not a fool-proof solution and sometimes an update or patch can open a back door. Encrypting your data ensures that even if a hacker gets in through a back door, that they are presented with a jumbled mess, rather than your data on a silver platter. Android phones can be encrypted by going into Settings->Security and selecting “Encrypt phone”. This will make the data illegible and prevent it from being harvested for malicious purposes. A note of caution: once you encrypt, the only way to go back is a factory reset.