Employees aren’t just bringing their mobile devices to the workplace—they’re living on them. For many, checking their phones is the first and last thing they do every day. A 2016 global mobile consumer study by Deloitte found that 74 percent of respondents check their smartphones within 15 minutes of going to sleep; 61 percent proceed to check it again within 5 minutes of getting up. Nearly all respondents—88 percent—reported looking at them within 30 minutes of waking.
As smartphones and tablets become constant companions, hackers are seeking every avenue available to break into them. Many people expect that iPhone or Android devices are secure by default, when in reality it is up to the user to make security configuration changes. With the right (inexpensive) equipment, hackers can gain access to a nearby mobile device in less than 30 seconds and either mirror the device and see everything on it, or install malware that will enable them to siphon data from it at their leisure.
The nature and types of cyber attacks are evolving rapidly, and mobile devices have become a critical part of enterprise cybersecurity efforts with good reason. Research firm Gartner predicts that by 2021, 27 percent of corporate data traffic will bypass perimeter security, and flow directly from mobile and portable devices to the cloud.
Chief information security officers (CISOs) and other security executives are finding that the proliferation of mobile devices and cloud services present a significant barrier to effective breach response. In order to secure the corporate data passing through or residing on mobile devices, it is imperative to fully understand the issues they present.
5 Security Risks and a Surprising Challenge
The threat and attack vectors for mobile devices are largely composed of retargeted versions of attacks aimed at other endpoint devices. These risks can be categorized into five areas.
1. Physical access
Mobile devices are small, easily portable and extremely lightweight. While their diminutive size makes them ideal travel companions, it also makes them easy to steal or leave behind in airports, airplanes or taxicabs. As with more traditional devices, physical access to a mobile device equals “game over.” The cleverest intrusion-detection system and best anti-virus software are useless against a malicious person with physical access. Circumventing a password or lock is a trivial task for a seasoned attacker, and even encrypted data can be accessed. This may include not only corporate data found in the device, but also passwords residing in places like the iPhone Keychain, which could grant access to corporate services such as email and virtual private network (VPN). To make matters worse, full removal of data is not possible using a device’s built-in factory reset or by re-flashing the operating system. Forensic data retrieval software — which is available to the general public — allows data to be recovered from phones and other mobile devices even after it has been manually deleted or undergone a reset.
2. Malicious Code
Mobile malware threats are typically socially engineered and focus on tricking the user into accepting what the hacker is selling. The most prolific include spam, weaponized links on social networking sites and rogue applications. While mobile users are not yet subject to the same drive-by downloads that PC users face, mobile ads are increasingly being used as part of many attacks — a concept known as “malvertising.” Android devices are the biggest targets, as they are widely used and easy to develop software for. Mobile malware Trojans designed to steal data can operate over either the mobile phone network or any connected Wi-Fi network. They are often sent via SMS (text message); once the user clicks on a link in the message, the Trojan is delivered by way of an application, where it is then free to spread to other devices. When these applications transmit their information over mobile phone networks, they present a large information gap that is difficult to overcome in a corporate environment.
3. Device Attacks
Attacks targeted at the device itself are similar to the PC attacks of the past. Browser-based attacks, buffer overflow exploitations and other attacks are possible. The short message service (SMS) and multimedia message service (MMS) offered on mobile devices afford additional avenues to hackers. Device attacks are typically designed to either gain control of the device and access data, or to attempt a distributed denial of service (DDoS).
4. Communication Interception
Wi-Fi-enabled smartphones are susceptible to the same attacks that affect other Wi-Fi-capable devices. The technology to hack into wireless networks is readily available, and much of it is accessible online, making Wi-Fi hacking and man-in-the-middle (MITM) attacks easy to perform. Cellular data transmission can also be intercepted and decrypted. Hackers can exploit weaknesses in these Wi-Fi and cellular data protocols to eavesdrop on data transmission, or to hijack users’ sessions for online services, including web-based email. For companies with workers who use free Wi-Fi hot spot services, the stakes are high. While losing a personal social networking login may be inconvenient, people logging on to enterprise systems may be giving hackers access to an entire corporate database.
5. Insider Threats
Mobile devices can also facilitate threats from employees and other insiders. Humans are the weakest link in any security strategy, and many employees have neither the knowledge, nor the time to track whether or not their devices have updated security software installed. The downloading of applications can also lead to unintentional threats. Most people download applications from app stores and use mobile applications that can access enterprise assets without any idea of who developed the application, how good it is, or whether there is a threat vector through the application right back to the corporate network. The misuse of personal cloud services through mobile applications is another issue; when used to convey enterprise data, these applications can lead to data leaks that the organization remains entirely unaware of. Not all insider threats are inadvertent; malicious insiders can use a smartphone to misuse or misappropriate data by downloading large amounts of corporate information to the device’s secure digital (SD) flash memory card, or by using the device to transmit data via email services to external accounts, circumventing even robust monitoring technologies such as data loss prevention (DLP).
Mobile security threats will continue to advance as corporate data is accessed by a seemingly endless pool of devices, and hackers try to cash in on the trend. Making sure users fully understand the implications of faulty mobile security practices and getting them to adhere to best practices can be difficult. Many device users remain unaware of threats, and the devices themselves tend to lack basic tools that are readily available for other platforms, such as anti-virus, anti-spam, and endpoint firewalls.
The Productivity Challenge: Blessing, or Curse?
Increasing worker productivity is the leading factor driving bring your own device (BYOD) program deployment.
It may therefore seem surprising that a 2016 CareerBuilder study found that they are dramatically sapping productivity at work. According to the survey, 1 in 5 employers (19 percent) think workers are productive less than five hours a day. When looking for a culprit, more than half (55 percent) say that workers’ mobile phones/texting are to blame.
Mobile devices enable workers to accomplish tasks wherever and whenever they choose, but they can be distracting. Flitting between numerous screens and apps and continuously checking email and Twitter feeds is enough to disrupt even the most focused employee.
“It is an epidemic,” Lacy Roberson, Human Resources Business Partner at eBay has said. At most companies, it’s a struggle “to get work done on a daily basis, with all these things coming at you.” In order to avoid the inevitable —people checking in on their devices and checking out of conversations — organizations like eBay have implemented a no-device policy for certain meetings. Even the White House has faced an inappropriate phone use problem. In an article entitled “How To Get People Off Their Phones In Meetings Without Being A Jerk”, Forbes detailed former President Obama’s phone-drop protocol: before meeting with him, cabinet members attached sticky notes with their names to their cell phones and left them in a basket before entering the room.
While office distractions are nothing new, the lure of 24/7 social-networking streams and email alerts that accompany mobile devices is intensifying the problem.
Meeting the Mobility Challenge
Mobile device threats are increasing and can result in data loss, security breaches and regulatory compliance violations. You can take a number of steps to reduce the risks they pose and address related productivity issues and legal, privacy, and security requirements. These steps are similar to those involved with other security issues—such as robust program and policy creation, communication, risk assessment, technology implementation, and continuous monitoring and evaluation—but are tailored to the unique challenges associated with mobile devices. With well-supported mobility and security awareness programs in place, your organization can keep users happy and your network secure, so you can compete effectively in today’s mobile-first environment.