Mobile or digital properties are considered essential assets these days by organizations. This is due to the increase in mobility as more and more businesses realize it helps improve productivity and operations. The digital age and the onset of the Covid-19 era, which promoted online properties are responsible for this.
However, increasing mobility means increasing the number of mobile devices and users accessing systems from remote locations. This has increased the number of security threats faced by IT teams as an array of endpoints simply means more chances for cyber attacks.
The inability to keep endpoints safe leads to data breaches, identity theft, and loss. Mobile malware is the most common threat to mobile security. Verizon’s Mobile Security Index 2020 report has made it obvious that new threats are also emerging, which calls for added security and protection.
Today, we shall look at the most common mobile device cyber threats. So, keep reading to learn more!
What Are The Different Types Of Mobile Security Threats?
Most people think that mobile security threats are one single entity. However, in reality, there are 4 different kinds of mobile security threats that businesses must be protected from:
Physical Mobile Security Threats
Mobile device physical threats indicate lost or stolen mobile devices. Direct physical access to mobile hardware means hackers can easily access private data, posing a huge risk to enterprise networks.
Web-Based Mobile Security Threats
Web-based mobile device threats are not as noticeable. These occur when a mobile user visits an infected website that seems fine at the front end but is backed up by hackers. Malicious content or malware is automatically downloaded onto the mobile device, slowly wreaking havoc.
Mobile Application Security Threats
Downloading unauthorized/malicious apps or those that look legitimate and are not leads to this type of mobile security threat. Spyware and malware get into a mobile system to steal login credentials, passwords, and business information in the background.
Mobile Network Security Threats
Network-based mobile security threats are the riskiest and also the most common. Cybercriminals use public WiFi networks to steal data that has not been encrypted.
What Are Common Examples Of Mobile Device Security Threats?
Let us now look at common mobile device security threat examples and the steps a business must take to protect itself:
Data Breach Due To Malicious Applications
The CEO/CTO of Marble Security, Dave Jevans, claims that enterprises face greater threats from mobile app downloads than mobile malware. 85% of mobile apps are insecure, making it easy for hackers to steal data, access digital wallets, and tamper with backend details and other information.
When employees visit the App Store or Google Play Store to download apps that play innocent on the outside, they often allow the app a lot of permissions. These include file/folder access, camera access, gallery access, etc. Many individuals allow permissions of all kinds to these malicious apps without thinking twice.
This carefree attitude and lack of security often make endpoints vulnerable and a major cause of data breaches. Some apps may even function fully like they promise to but are also mining sensitive data from corporate networks in the background. This information is shared with competitors, sold to 3rd parties, or exposed to cause damage to a business.
Protection Against Data Leakage
Data leakages or breaches can be prevented by protecting a business against insecure apps and malicious software. MAM (Mobile Application Management) tools enable IT administrators to keep a check on corporate apps. They can easily erase or control app access permissions on an employee’s mobile device without causing disruption. The employees can keep using personal data or apps normally.
Social Engineering
Malicious actors send spear phishing emails or fake texts known as smishing attacks to employees. These social tactics fool recipients into providing sensitive or confidential data. Once hackers have a hold on passwords and other details, they download malware onto the user’s mobile device.
A 37% rise in mobile phishing attacks on enterprises has been reported by Verizon and Lookout. They also reported that phishing attacks were the major cause of data breaches worldwide in 2020.
Protection Against Social Engineering
Training employees is the best way to prevent social engineering and phishing attacks. The ability to identify suspicious messages and emails prevents employees from falling prey. It is also good to allow only certain employees to access sensitive data, systems, and confidential information.
This reduces the chance of attacks as there are fewer endpoints hackers can access to gain entry into a corporate network.
Insecure Public WiFi Networks
Public WiFi networks are not as safe as private networks. This is because there is no surefire way to know who sets up the network, whether and how it is encrypted, who has access, and who monitors all connections/activity.
Employees who work remote jobs tend to use public WiFi on their mobile devices. If they use this to access network servers or organization apps, the whole corporate network is at stake.
Cybercriminals often create public WiFi networks that look authentic but are designed to extract confidential information. Such networks often have common names, so people hoping to connect nearby do not hesitate.
Protection Against Insecure Public WiFi Networks
The easiest way to prevent a data breach due to this type of threat is by asking employees to use a Virtual Private Network (VPN) whenever they access the company network, app, system, or files. A Virtual Private Network not only encrypts data and hides information, but it also hides the user’s IP address.
End-to-End Encryption Gaps
An encryption gap is a hole through which cyber criminals gain access to a mobile device. A single gap can be a serious threat even if the full channel is encrypted and secure.
Public WiFi networks that are not encrypted are the most basic and common example of an encryption gap. The use of unsecured WiFi networks poses the greatest risk to organizations. Cybercriminals make use of gaps to access employee data and any information being shared amongst various mobile devices.
WiFi networks, however, are not the only cause of the threat. Any service or app that is unencrypted also provides cyber criminals with a great opportunity to steal sensitive data. Unencrypted mobile apps being used by employees on their mobile devices is another superb opportunity for malicious actors.
Protection Against End-to-End Encryption Gaps
End-to-end encryption is the only way to cover gaps and ward off hackers. All service providers a business works with must prevent unauthorized access by encrypting their services. Apart from this, a company must also ensure that employee mobile devices, systems, and apps are encrypted.
Spyware
Spyware is often downloaded accidentally by mobile device users when they click on a malvertisement or malware advertisement. Some scams may fool the user into downloading the spyware as well. Android device and iOS users are equally at risk as spyware mines data, including private information or system information.
Protection Against Spyware
Mobile security apps like Google Play Protect aid employees in eradicating and detecting installed spyware. Employees must also be asked to regularly update their apps and system so that any gaps are covered and mobile devices are sufficiently protected against the latest spyware threats.
IoT Devices
Various types of devices are being used to access business networks. IoT or Internet of Things devices include tablets, mobile phones, wearable gadgets like smartwatches, and physical devices like Alexa/Google Home.
The latest IoT mobile devices have separate IP addresses, which means bad actors can use them to gain unauthorized access to the company network and other connected devices. There are a ton of IoT devices being used. Statistics show that 78% of IT giants from 4 separate countries have nearly 1000 IoT shadow devices accessing their networks daily.
Protection Against IoT Device Threats
MDM (Mobile Device Management) and IAM (Identity and Access Management) tools are useful in warding off IoT threats. M2M (IoT/Machine-to-Machine) security is still being tested. It is up to an organization to pick and implement a tool and relevant policies that best suit their interests and help keep their network secure.
Lost or Stolen Mobile Devices
This type of threat is not new or surprising. As more and more individuals work remotely from cafes, coffee shops, etc., the threat is increased. This is doubled due to employees using an array of devices to access company systems.
Protection Against Lost or Stolen Device Threats
The first step is to create employee awareness and inform them of the steps they must follow if they lose their mobile phone or other devices. Employees must be asked to enable remote access on their phones to delete information if a device is lost or stolen. Activation of this service provides an added security layer.
MDM (Mobile Device Management) tools may also help encrypt, wipe and secure sensitive company data. It is important to note that these tools and mobile security solution should already be installed and activated on the device before it is lost or stolen.
Poor Passwords
99% of individuals reuse their passwords between work and personal accounts or between different work accounts, according to a survey conducted by Blabix in 2020. The worst part is that the passwords that employees reuse have poor strength too.
A survey done by Google in 2019 deduced that around 59% of people used their birthday or name as their password, while 24% stated they used one of the following:
-
-
- password
- 123456
- 12345678
- qwerty
- 12345
- 123456789
- baseball
- 1234567
All of these are bad passwords that are very easy to guess. A similar password for multiple accounts also means that if someone cracks your password, they gain access to all the user’s accounts. Poor passwords simplify a bad actor’s job.
They also open up opportunities for credential-based cyber attacks, password spraying, and credential stuffing.
Protection Against Poor Password Threats
NIST Password Guidelines are deemed to be a standard for password best practices. Therefore, it is a must to ask your employees to follow these as well. Password managers can be used to simplify the process.
It is also a good idea to use MFA (Multi-Factor Authentication) to reduce the chances of bad actors gaining entry into corporate systems. Passwordless authentication, such as the face, finger, and eye scans, helps eradicate the risks that come with the use of passwords altogether.
Outdated Operating Systems
Mobile security also includes patching vulnerabilities that bad actors often use to enter a company network. Fortunately, companies like Google and Apple address vulnerabilities that can be used to gain unauthorized access to each operating system update.
Apple, in 2016, for example, knew that it had 3 zero-day vulnerabilities, which were easy for spyware to get through, so they released a patch to keep users secure.
Patches only protect mobile devices that are updated. Verizon’s Mobile Security Index Report showed that nearly 79% of mobile devices and operating system updates are left in the hands of employees.
Protection Against Outdated Operating Systems
Google and Apple push updates to make users update their iOS and Android mobile devices. 3rd party software like MDM tools offers to push notifications as well.
Final Thoughts
IAM, or Identity and Access Management tools, can help organizations keep the data and apps secure for mobile users. They do this by restricting users and mobile devices to certain network parts and company data access. Other functions include MFA, brute force attack protection, etc.
Employee awareness and the use of suitable security software, including best practices, is the best way to ensure mobile device security.
