Mobile malware – malicious software designed to gain access to private data on mobile devices – is a growing threat to corporate cyber security. As businesses embrace remote work and more employees use their personal devices for work-related tasks, cybercriminals are finding more opportunities to exploit these vulnerable and often insecure devices to access company servers and sensitive information. The consequences of these cyber attacks can be devastating for organizations. According to Verizon’s Mobile Security Index, 33% of security professionals have reported a security compromise involving a mobile device. Additionally, 47% said remediation was “difficult and expensive”; and 64% said they suffered from downtime. Cybercriminals can distribute mobile malware in a variety of ways, including through malicious apps, network-level attacks, and even by exploiting vulnerabilities in the device and its operating system. This article provides more information about mobile device security threats and steps businesses can take to prevent related losses.
Security threats to mobile devices
As cybersecurity threats become more common and serious, organizations must take the time to understand the potential risks of allowing employees to use their personal mobile devices for work-related activities. The following are common security threats for mobile devices:
- Phishing and smishing— Phishing and smishing scams are the biggest security threat to mobile devices, according to IBM. While phishing uses email and smishing uses text, both strategies involve sending messages containing malicious links to infect devices with malware or trick victims into sharing account details or company information. Social engineering is often used in phishing and smishing scams by weaponizing key characteristics of a victim, such as where they work, their job status, and their recent posts, to gain their trust and extract important information from them.
- Malicious apps—Official app stores like the Apple App Store and Google Play have many checks and balances in place to prevent malware, but malicious apps can still get through these processes. Once a malicious app is installed, hackers can steal or lock data stored on the mobile device or spread more malware.
- Insecure Wi-Fi and network poofing—When an employee uses a compromised or public Wi-Fi network, their device becomes immediately vulnerable to cyber attacks. Cybercriminals can perform man-in-the-middle attacks—when communications between two systems are intercepted by a third party—while remaining undetected by the user through insecure Wi-Fi and network poofing. Unsecured Wi-Fi, such as open or free Wi-Fi hotspots, can allow cybercriminals to intercept your device’s network traffic. Network spoofing involves a hacker pretending to be a network name to trick users into logging in, so they can access user data.
- Outdated operating systems (OS) and apps– Older operating systems and apps may contain vulnerabilities that can be exploited by cybercriminals. Although software patches and updates are often released by developers to fix security flaws, any delay or avoidance of updating an OS or an app can put data stored on the mobile device at risk.
Prevention of threats to mobile devices
The consequences of a mobile device security breach can be devastating to an organization, potentially leading to loss of profits, data, reputation and compliance. To minimize security threats to mobile devices, organizations can take the following precautions:
- Train employees. Employees are the first line of defense in protecting mobile devices against malware. Therefore, cybersecurity awareness training can help employees fight fraud by teaching them to spot the signs of phishing, smishing, and malicious apps, avoid public and unsecured Wi-Fi networks, and keep their devices’ software up-to-date.
- Install a virtual private network (VPN). A VPN connection hides online data traffic and protects it from external access. Unencrypted data can be viewed by anyone with network access, but a VPN prevents cybercriminals from deciphering the data.
- Enable multi-factor authentication (MFA). MFA can prevent account compromises by requiring users to provide multiple security credentials to access a device or account. Examples of MFA are entering a code sent to a user’s email, answering a security question, or scanning a fingerprint.
- Install zero-trust-enabled applications. A zero-trust security model evaluates access requests based on predefined checks. Legitimate access requests are allowed and unauthorized requests are blocked and logged. With this strategy, installing zero-trust-enabled applications can reduce cybersecurity risks by limiting access to applications that are not allowed.
- Enable user authentication. User authentication on mobile devices verifies a user’s identity through one or more authentication methods, such as passwords or VPNs, to ensure secure access.
- Develop Bring Your Own Device (BYOD) policies.. A company should develop and implement BYOD policies when allowing or requiring employees to use their personal devices for work-related activities. BYOD policies should address which devices and apps are allowed and outline security requirements.
- Create device update policies. Cybercriminals can infiltrate mobile devices through unpatched software. Therefore, the company’s device update policy should require employees to update their devices and apps as soon as a patch becomes available.
- Back up mobile data regularly. Regular data backups can help businesses recover in the event a mobile device is lost, stolen or otherwise compromised. Backups can protect against human error, hardware failure, virus attacks, power outages, and natural disasters.
- Implement a password policy. A strong corporate password policy can ensure that systems and data are as secure as possible. Some best practices include encouraging employees to use unique, complex or long passwords; enables MFA; and use password management systems.
We can help
As mobile devices and their applications are increasingly used for work-related activities, companies must be vigilant in their cybersecurity efforts to mitigate risk. If you would like additional information and resources, we are here to help you analyze your needs and make the right coverage decisions to protect your business from unnecessary risk. You can download a free copy of our eBook, or if you’re ready to make Cyber Liability Insurance part of your insurance portfolio, request a quote or download and get started with our Cyber & Data Breach Insurance Application and we will work for you.