Smartphones have become integral to our lives, so it’s natural they’re common in the workplace. But what risks for business and data security does this present?
Your employees are now spending more time using their mobile phones than ever before. Smartphones are a constant companion for many people. These devices have become an integral part of our working and personal lives. But could the phones we find so difficult to put down be a threat to our business security?
Smartphones have permeated the workplace and become intertwined with the working day. It’s normal for employees to use both personal and company devices for work purposes throughout the week. The average employee likely checks work emails on their phone, downloads attachments, and uses a file sync and share solution to access work files remotely.
Unfortunately, this could pose a huge threat to the security of yours and your client’s data, but only if you don’t have the right security measures in place.
Why cyber criminals are targeting smartphones
The number of cyber-attacks on mobile phones has increased year after year since 2018 and it’s not surprising, they represent the ideal target to facilitate a successful cyber-attack. Here’s just some reasons why:
- People often assume their smartphone is not at threat from viruses and malware, so don’t take extra steps to protect it (this is especially true for people with Apple iPhones, but the reality is that malware DOES exist to target your smartphone)
- Almost everyone uses a mobile phone on a daily basis, so there is lots of opportunity for attack
- Smartphones carry masses of detailed data about their user, including financial information, confidential images, social media data, location data, and passwords – this makes them a treasure trove for cyber criminals
- Apps are an easy route into smartphones, they can be infected with malware and then innocently downloaded by the user. And it’s more common than you might think. In fact, 1 in 36 smartphones have high-risk apps installed!
- Cyber criminals can infiltrate devices and listen to personal phone conversations to gather confidential data, such as your bank account details.
- Smartphones also contain powerful processors. If cyber criminals can penetrate your devices, they can use this computing power for mining cryptocurrency, as a result your smartphone will run slowly and inefficiently.
Common security issues for smartphones
There are many ways cyber criminals can steal data from your smartphone, including phishing, social engineering, fake websites and keyloggers. We’ve outlined two ways below that are particularly common for attacks on mobile devices.
Third party apps
As mentioned, 1 in 36 smartphones have high-risk apps installed. This may seem surprising, but many apps on popular app stores do contain malware. For example, on the Android store almost anybody can release an app on the store – meaning you have to be really careful what you download. It is more difficult to release apps on the Apple app store but there have been cases of iOS apps containing malware too.
Cyber criminals recognize that people often install apps and then forget to use them or use them carelessly every now and then. Apps are particularly dangerous because we often give permissions to an app without giving it a second thought.
Once malware has been installed, it can monitor anything you do on your phone. Cyber criminals can, therefore, sift through your work emails, access files you’ve downloaded – such as sensitive attachments in business emails, and even capture login details to your online banking service.
Free public WiFi can be extremely useful when you’re working on the go. But you need to be careful when connecting to unsecured WiFi. Cyber criminals can create fake access points, designed to get others to use it. They can also infiltrate other public WiFi connections because they don’t require authentication, in doing so they can gain access to any unsecured devices using the same network.
If they do manage to infiltrate your device, they could gain access to anything you’re doing using the unsecured WiFi, including your emails, texts, or credit card details. Cyber criminals will then record that information and use it in the future, they could even access your systems, apps or programs pretending to be you.
Furthermore, these unsecured networks can be used to infect your devices with malware, particularly if you’re accustomed to sharing files and downloading content over the internet. In fact, some cyber criminals are now making the hotspot itself a piece of malware. These kinds of cyber-attacks will usually manifest as a pop up, offer, or upgrade about some popular software on your device. But when you click the pop up, malware will be installed onto your smartphone!
So, how do I protect smartphone from security issues?
1. Passcodes, fingerprint authentication and facial recognition technology
Devices represent the key to accessing your confidential business data. So, lost or stolen devices can be extremely dangerous for business, even if those devices are personal employee devices. If they’ve been used for work purposes, they’re a potential threat.
If smartphones can be unlocked by simply swiping or pressing a button, cyber criminals will very easily gain access to your important data. In fact, if it’s that easy, anyone who finds your phone could sift through your personal information – even if they don’t initially have bad intentions, this still represents the potential for a serious data breach.
Therefore, you need to ensure all employees have the passcodes, fingerprint authentication or facial recognition technology in place to act as a first line of defense for their smartphones.
2. Mobile device management policies to protect lost or stolen devices
Additional measures should be taken to protect devices in the event of loss or theft. With mobile device management policies, you can easily enforce additional security controls on all devices that hold corporate data.
For example, you can introduce an extra layer of passcode protection for all employees trying to access their company emails on mobile devices. This process is not only quick and easy to roll out, it’s also easy to demonstrate to authorities if required for compliance reasons.
3. Education is key – train your employees to be cyber aware
Your employees are your number one vulnerability when it comes to cyber security. If they’re not trained on how to spot and deal with potential cyber-attacks, they could easily put your business at risk.
For example, phishing attacks are particularly common whereby cyber criminals will contact your employees, either via email or SMS impersonating a legitimate member of staff. They will do this by imitating email addresses, changing one or two letters or punctuation to make them seem genuine. These emails will then ask employees to perform tasks such as transferring money to their bank account, clicking a link, or downloading malware. They’ll usually impersonate a senior member of staff and place an urgency on the task to try and get employees to act quickly without thinking.
These types of attacks can be incredibly convincing and without proper training employees could easily mistake a malicious email address for a legitimate one, putting your business at risk of financial loss and reputational damage.
The simplest way to ensure your employees are using their work and personal smartphones safely is to implement cyber security awareness training. At Adaptive Information Systems, we offer our clients comprehensive cyber security awareness training that’s easy to roll out to their entire organization. The training consists of a series of concise training videos, covering everything from email phishing to staying secure on social media. Employees are required to complete the videos on a regular basis, meaning their security awareness is continually refreshed and they’re up to date with the latest threats.
4. Don’t just train employees, test them
Testing your employees’ security awareness will give you an accurate representation of how much they know, and where areas of additional training are required. With Adaptive’s cyber security awareness training, employees can also be sent simulated phishing emails on a regular basis. These emails will imitate real-life phishing attacks and will be sent directly to your employees’ inboxes. This will accurately test their ability to spot and disregard malicious or spam emails. If employees do click on simulated emails, they will then be notified and automatically enrolled onto additional specific security awareness training videos. This will refresh their knowledge and prevent them from making the same mistake again in the future.
5. Managed device encryption to make business data inaccessible if it ends up in the wrong hands
If employee smartphones are lost or stolen, cyber criminals could gain access to your confidential business data and sell it on the dark web, putting you in danger of losing clients and breaching compliance regulations.
But, if you implement managed device encryption, you can encrypt the company data on your devices immediately after they’re lost or stolen. This essentially turns any corporate data into nonsensical code, rendering it useless to a cyber criminal and keeping confidential information secure. If the smartphone is then found, your data can be decrypted, meaning you once again have full access.
6. Lock out policies to prevent against brute force attacks
Cyber criminals now have the technology to efficiently carry out brute force attacks. This refers to the process of continuously running various likely passwords against yours or your employees’ email address in an attempt to gain access to a system, application or platform. In doing so, they hope to eventually guess the password correctly and thus infiltrate your systems.
An easy way to prevent these types of attack is to enforce lock out policies across all devices, including employee smartphones. This means that, after a certain number of password attempts, a cyber criminal would be locked out of attempting to gain access to your devices, platforms and apps, preventing them from carrying out brute force attacks.
7. Ensure employees never “jailbreak” or “root” a mobile device
This refers to when people modify the operating systems of their smartphones to receive unrestricted access to the entire file system and custom modifications. For iPhones this is referred to as jailbreaking and for Androids it’s referred to as rooting. If an employee jailbreaks or roots their phone it allows for changes that aren’t supported by the phone in its default state, including its security features. This could leave the device vulnerable to malware and put your business data at risk.
8. Encourage employees to keep their smartphones up to date
Smartphones will often require employees to update operating systems and apps. These updates are vital as they provide fixes for known security vulnerabilities. You should, therefore, encourage employees to activate their update alerts immediately rather than opt for “remind me later.” In fact, this rings true across all devices, out of date PCs, laptops, and tablets will also pose a risk to your business security.
9. Discourage employees from using public WiFi
Public wi-fi networks often say they’re not secure, but many people just ignore this notice or don’t really know what it means. An unsecured network means that someone else on the network can potentially intercept data sent or received by your device.
As mentioned before, cyber criminals may even set up their own networks in public places, name them something relevant, like “Starbucks free wifi”, and then collect user information from all the people connecting to their network (email addresses, passwords, banking details etc.). It’s important that employees are aware of the dangers of connecting to unsecured public WiFi and can protect important business data.
If you’d like to learn more about maximizing the security of your devices, give us a call today!