Key Takeaways:
Cybersecurity has become more important than ever, especially with the rise in cyberattacks. However, much focus is put on computers, laptops, servers, etc. Mobile phones and tablets seem to be overlooked when talking about cybersecurity.
Today smartphones are integrated into the modern workforce as driven by work at home and remote working. To enhance mobility, these devices are installed with business mobile applications that enable access to company systems. They enable users to conduct different activities on-the-go, such as banking, connecting to company networks, business transactions, and other social operations. However, this is raising concerns about the security of sensitive corporate data and other personal information stored on phones.
Despite these concerns, businesses continue to be lax on enforcing solid measures to protect company data and networks. Since the phones have less protection than computers, they have become an easy target for cybercriminals who are using different methods to gain access to phones.
Phishing is one common attack vector that uses fake emails and text messages to trick users into clicking links that download malware onto a user’s smartphone. For instance, cybercriminals may use SMS to mimic legitimate companies and send messages that contain harmful links.
Recently, cybersecurity researchers cited a WhatsApp phishing campaign that attempts to lead WhatsApp users to install an information-stealing malware. The senders impersonate the WhatsApp notification service and send an email to a user claiming they have received a private voicemail. A user who is unaware of this ploy and clicks on the play button in the email will download malware onto their phone.
Attackers also take advantage of data leakage through malicious mobile apps. Users can get these apps by downloading fake versions of real apps, which are infected with malicious code that steals personal data stored on a phone.
Data can be stolen through legitimate solutions, as researchers found at the end of October 2021, when they discovered a banking trojan horse known as SharkBot in six phone apps. These apps were designed as legitimate antivirus solutions. The malware could bypass multifactor authentication to steal credentials and banking information, and even transfer money. Although the six dangerous apps have since been deleted from the Google Play store, this goes to show that hackers do not tire of looking for ways to infiltrate mobile devices.
Mobile phones also are affected by web-based mobile security threats when users access affected sites that download malicious content onto a device. Other security threats to phones include using unsecured public WiFi, lost or stolen mobile devices, mobile spyware, rooting malware and jailbroken phones that become more prone to attacks.
Since phones are now primarily being used as business tools, business owners need to rethink their mobile strategies for both employer-provided devices and bring your own device (BYOD). Businesses that deploy mobile device management (MDM) tools will block potentially harmful apps, automatically update software, and remotely wipe off data on stolen or lost phones.
Users are the weakest link in security issues; hence, a need for regular security risk-training on social engineering by learning how to differentiate suspicious emails and SMS messages. Users also need to learn to avoid downloading applications from third parties and other untrusted sources and use only authorized app stores. Furthermore, user training should include the dangers of public Wi-Fi, the importance of turning off a phone’s Wi-Fi when not using it, and locking the device with a strong password or biometrics, such as fingerprint detection.
Users also should avoid granting broad app permissions, especially for free apps that may be sending sensitive data to remote servers, where it can be used not only by advertisers but also by cybercriminals.
Keeping device operating systems and other software updated will reduce attack possibilities since cybercriminals use old bugs to hack devices.
It is important to install anti-malware and anti-virus programs on mobile devices since they now face the same threats as computers and laptops.
Businesses can introduce a mobile device policy that employees sign before accessing company resources on their devices or when receiving employer-provided devices. Such a policy includes the dos and don’ts of using phones.
Regular security testing is crucial for enterprise applications as it helps expose vulnerabilities in apps and especially those developed by third-party agencies to ensure the security meets required compliance guidelines.
Mobile phones now have capabilities similar to computers and store a lot of personal and sensitive data. As more devices access business systems, it creates more endpoints that put the business at risk of a data breach. Therefore, businesses of all sizes should take mobile security seriously through strong defensive measures, which can be enhanced with enterprise mobile security solutions.
