These days, mobile devices, such as smart phones, are essential to any high-performing business, giving workers unparalleled flexibility, accessibility and convenience.
But despite the sensitive corporate information that is often located on these devices – including emails, documents stored in file-sharing services like Dropbox, and instant messages – mobile data security is often overlooked. This is particularly shocking when you consider that in Australia, more than 200,000 mobile phones are reported lost or stolen every year – that’s 4000 phones a week, or one phone every three minutes. You may not realise it, but the innocuous smartphone may well be putting your business’s data at risk.
Here are just some of the ways your employees’ mobile devices may be exposing your business to the possibility of a data breach.
Mobile device data security flaws
Here are some of the most common ways mobile device data security can be compromised.
Phishing scams are attempts by scammers to trick people into giving out personal information by pretending to be legitimate organisations, like, for example, your bank or online retailer.
They remain one of the most common types of cybercrime due to its effectiveness, with 54% of Australian SMBs reporting they had fallen victim to a phishing scam in 2017. According to the Australian Competition and Consumer Commission, over $800,000 was reported lost to phishing scams in 2017.
Surprisingly, the majority of these scams were delivered via phone (43.2%), followed by email (34%) and then text message (17.5%). In fact, only about 3% of scams were delivered in ways not accessible via a mobile phone.
This is what makes mobile devices so attractive to scammers – indeed, evidence suggests that users are three times more likely to fall for a phishing attack on a mobile device than on a desktop, as the smaller screen size and on-the-go nature of mobile devices can mean people pick up less discrepancies and act less cautiously.
One of the most common ways that malware is delivered to mobile devices is via infected applications. These are typically popular apps that are repackaged or infected by malware operators, or brand-new apps, which are often marketed as ‘open source’ and ‘free’, and sold as music player or file explorer applications.
While these are typically sold on third-party app stores, due to the more stringent security measures taken by official stores like Google Play and the Apple App Store, that doesn’t mean these stores are immune to infected apps, and there have been numerous incidents when malicious apps have been discovered on official app stores.
One such malware, discovered by McAfee and dubbed ‘Grabos’, was found on a number of applications. Grabos gathers and exfiltrates a device’s specs, location and configuration, and uses this information to create custom notifications to trick users into downloading and installing additional apps that stay open in the background, collecting more information.
Malware can also enter mobile devices via scams and malvertising, whereby malware is inserted into legitimate online ad networks. These normal-looking ads appear on a wide range of pages, and, if clicked by users, immediately infects their device with malware.
It turns out even legitimate apps may be exposing your data through data leaks. Contrary to what you might think, apps are not required to be completely resilient to data leaks in order to be placed on official app stores, and developers tend to be unwilling to invest the time and resources it takes to plug these leaks, as these security updates often don’t enhance the functionality of the app.
This means things like email addresses, usernames, passwords and even company IP and customer data are potentially at risk of a breach.
In 2016, researchers found more than 200 well-known apps and mobile website were exposing users’ sensitive information. And these vulnerabilities were found in surprising places – more than 59% of all the leaks identified were from news and sports apps, business and industry apps, and shopping apps.
Employees will often access public wifis while they’re out and about, but many of these networks have no security, encryption or privacy.
This means malicious actors are able to intercept the connection via ‘man-in-the-middle’ (MiTM) attacks, whereby attackers insert themselves between the user’s device and the internet, allowing them to ‘eavesdrop’ on sensitive information without users even realising.
This is one of the more serious threats, as attackers are able to read and capture credentials, emails, calendars, contacts and other highly sensitive data, all of which can be used to fuel a more damaging attack later on.
Ways to enhance mobile device data security
In order to protect one of your company’s most precious assets – its data – it’s important to implement a stringent and detailed mobile device security policy to which all employees must adhere.
This may include things like:
- Enforcing operating system updates: These often include important security patches, so it’s crucial these updates are performed in a timely manner.
- Requiring employees to undergo cybersecurity training: Teaching employees about things like how to identify phishing attacks and how to access company data securely will go a long way towards ensuring your data remains safe.
- Restricting the applications employees are able to download: As you have seen, applications are not always safe. You may want to restrict the applications employees are able to download to ones your IT department have deemed acceptable.
- Implementing a public-wifi policy: This may include stipulations like only accessing the company network while connected to a VPN, or only accessing secure (https) sites when connected to a public hotspot.
- Having a contingency plan in the event of a breach: Nowadays, it is not a matter of if you will suffer from a data breach, but when. It’s important to be prepared for the inevitability with a cybersecurity incident response plan.
In the wake of the GDPR and the Notifiable Data Breaches scheme, it’s more vital than ever that organisations protect their data. Don’t let your mobile devices be your company’s weak link.