Smartphones, tablets and the Internet of Things are great business enablers when it comes to being super responsive to the needs of your customers. Our working lives are more convenient; the technology has increased productivity at restaurant and boardroom tables, alike. Business is faster and more efficient.
However, it is this ‘always on’ culture, which poses one of the biggest threats to an organisations cybersecurity. The daily use of our mobile devices is so intrinsically normal that this lowers our defences; increasing the probability of a cyber-attack.
The cyber-criminals are all too aware of the central role these portable IT assets provide, along with that fact that, on the whole, our mobile devices are just not as secure as laptops or desktops. They are commonly overlooked in favour of traditional endpoint security. The security measures you’d expect to appear for your workstation, such as firewall, antivirus or intrusion detection systems are simply not in place.
Remote working, hybrid structures and bring your own device (BYOD) policies mean that more of us than ever are using personal devices to access the corporate network. Whilst this may be cost-effective, personal unguarded endpoints have the potential to bring very real and very serious threats into the corporate environment.
In 2020, nearly 97% of organisations faced mobile threats
that used multiple attack vectors.
Check Point. 2021 Mobile Security Report.
What is mobile malware?
Put simply, mobile malware is malicious software specially designed to target mobile devices to gain access to your personal data. Attacks are not only increasing in number but in their level of sophistication, with the cyber-criminals profiting from almost any form of data.
In fact, any form of cyber-attack can now be implemented and performed via a mobile device. As well as gaining extensive access to the device itself, criminals can also gather valuable intelligence from device additional sources, including call history, SMS and GPS data. Remote Access Tool attacks (RAT’s) can even enable the devices camera.
At least 40% of the world’s mobiles devices are inherently vulnerable to cyber-attack.
Check Point. 2021 Mobile Security Report.
What are the most common types of mobile malware attack?
Responsible for over 51% of all mobile malware attacks, a Trojan hides itself in compromised software, often a mobile application. Apps are created or pirated by hackers who infect known apps, distributing them on third-party app stores. According to 2020 Check Point research, around 46% of organisations had at least one employee download a malicious mobile application.
People are 18 times more likely to click a suspicious link on a mobile device then they are on desktop* so social engineering is widespread. Spoofing, phishing and smishing’s partner in crime is the practice if mirroring a trusted website. These fraudulent sites posing as trusted businesses, government bodies and healthcare institutions have become so advanced that even savvy IT professionals could fall victim. According to Check Point, at the end of 2020, the most impersonated brand was Microsoft, which appeared in 43% of global phishing attacks. After all, responsible employees could be drawn to an email from Microsoft, advising them to remain secure by updating their device.
Malvertising, as the name suggests are malicious online advertisements infected with malware, distributed by common and trusted digital ad networks. Sometimes a user may follow the link, but nothing happens. They don’t realise that one click was all it took to install the malware.
How do you prevent a mobile malware attack?
We know that fingerprint security or a pin-lock is a good idea to prevent physical unauthorised access, but when it comes to cybersecurity, our mobile devices have a very different threat surface to more traditional endpoints. As such, best practice requires a mobile-specific approach.
Only use official app stores.
Third-party app stores host 99.9% of discovered mobile malware**. The good news is that the official app stores detect and remove rogue apps rapidly. According to Purple Sec, around 24,000 malicious mobile apps blocked every day by official Google Play and Apple’s App Store. By only ever-using official app stores, you will vastly reduce the probability of unintentionally installing malware.
For Android users, it is also a good idea to ensure that the ‘Install from Unknown Sources’ is turned off. As easy as it is to click through permission pop-up’s, always check and question app permissions before agreeing – does that app really need access to all of your contacts?
Update your OS when notified.
Known vulnerabilities are usually patched quickly with OS and software updates, but much like your PC, if you’re hitting snooze on your update notifications, you are leaving yourself and your organisation open. Similarly, make sure you have the most current version of whatever browser you use to limit potential web browser based attacks.
Never connect to public Wi-Fi.
Public Wi-Fi networks are open by their nature and therefore make it far easier for the criminals to conduct man-in-the-middle (MitM) attacks. Of course, restricting Wi-Fi access only to trusted networks isn’t practical. Use a VPN, (Virtual Private Network) to provide a secure connection so you can share information securely when outside the corporate firewalls protection.
Encrypt all data.
Portable devices are easily lost or stolen. You may think you are protected by the screen-lock but the criminals can bypass these passwords. Whenever there is any data on any mobile device, encrypting it will guarantee its security, even if it does fall into the wrong hands.
Treat older mobile devices as you would end of life IT assets.
All too often mobile devices are discarded in favour of the newest tech. They’re left in office or home kitchen drawers. Worse still, the user can even pass the handset onto family members to use instead. IT teams can easily lose visibility when these mini computers should be treated as any other piece of redundant IT equipment.
It is a very common ITAD myth that a factory reset completely wipes your device. This is not the case – this can create significant data governance issues in the future. Your ITAD partner can also provide a data wiping service and free mobile device recycling, providing the same ITAD chain of custody you would receive for larger assets. The IT asset disposal accreditation certificate provides information such as phone make, model, IMEI code and serial number, helping ensure your legislative compliance with EU and UK GDPR. By using this specific mobile data erasure software, you can recycle or sell redundant IT assets safely, regaining their residual value. As large corporations can have thousands of mobiles devices, many IT asset disposal companies offer lifecycle support services, such as mobile vulnerability scanning or the installation of mobile antivirus software.
As with all cybersecurity, education of your employees is a must. A robust mobile device policy and mobile-specific training will not just tell employees that they cannot install X or Y but explain why – employee understanding particularly important when we all carry that mini-computer around in our pockets.
VPN’s use, mobile antivirus, and encryption are all physical methods help stop the threat at source. It is important to include all mobile devices in your IT asset disposal policy to ensure complete, secure data destruction and your organisations compliance with data protection laws.
Whether BYOD or corporate property, our mobile devices are a vital element of your corporate data security strategy. They require the same level of cybersecurity protection as traditional endpoints but with more specific methods to mitigate the risk of attack.
Through our range of data wiping services, environmentally friendly ITAD and operational support services, EOL IT Services help information security officers and cyber security experts protect company data.
Find out how we can help – contact us on 0845 600 4696 or visit www.eolitservices.co.uk
Check Point, Crowd Strike, Security Metrics, wandera.com, Secure List, Purple Sec, Tessian, CISO Cyber Security Magazine,