When working on a computer, most of us are aware of the security risks, so we stay away from suspicious emails, watch our steps when we visit websites, and otherwise exercise cautious behavior. But are we all vigilant enough when it comes to our mobile devices?
There is a lot of evidence to show that many people aren’t. Call it an “awareness gap” regarding the fact that mobile devices are as susceptible – in some cases more so – to being attacked. This gap is more pronounced among consumers than business users, but it’s a huge concern wherever it exists.
Security tends to be top-of-mind for mobile device users in the largest companies, and in confidentiality-sensitive and regulated industries such as financial services or medicine. Now we just need to get the tens of millions of other mobile-centric employees filled with that same sensitivity.
Be careful out there
The security message needs to come from the top, not only pushed out by IT but through the entire work culture. People need to know that as their mobile devices displace laptops and desktops as their primary work tools, the same risks follow them everywhere they go, along with some additional threats.
The most dangerous threat is always the one you’re not paying attention to, and with mobile devices, that threat is the unprotected nature of communications when connecting to a public hotspot.
As convenient as it is for users to connect somewhere that offers no password protection or other security, it’s even more convenient for hackers. The connection that you think is safe – it’s a reputable coffee shop, after all – could actually be to a rogue access point that a hacker set up. In which case everything that you’re doing is exposed to prying eyes that want to find whatever scraps of useful information they can, or find a way to get deep into your company by starting with your device.
Don’t be fooled into thinking that you’ll be safe if, while you’re at that coffee shop, you only browse a few informational websites or check emails, and avoid entering usernames and passwords or any personal information. Savvy hackers and snoopers can find ways to use even such “innocent” internet use to their benefit. Such as diverting you to a website that suckers you into a well-concealed malware download.
Always more risks
Another security risk that mobile users create for themselves is ignoring operating system patches, which among other things are intended to fix just the kinds of security holes that hackers can exploit. Because it seems like the device is asking the user to do this every few days, often at inconvenient times, users postpone or ignore the downloads. That just makes them more susceptible.
Hackers, who live in a 24×7 world, are now blending a variety of techniques to gain a foothold in a given device and move on from there. And that’s the key. It isn’t just a virus or malware anymore, it can be a full-scale attack on a company that starts with getting scraps of data and access to the device from one or more users.
It may be random, with a single hacker just looking for something to steal and sell, or it could be a socially-engineered attack by an organized ring or even nation-state group that targets a company or a government organization. Both of these can do harm to the company; it’s just a matter of how serious the scale.
Seeking a solution
Once users and companies recognize the disease, how do they cure it, or more importantly prevent it? It’s a constant battle, but the Good Guys do have their weapons. Just to name a few:
- A mobile threat defense agent on the mobile device that detects risks such as viruses with known signatures, new zero-day viruses with new signatures and not-yet-known antidotes, man-in-the-middle attacks, or other anomalous behavior.
- VPNs, virtual private networks, which may just be the best weapon when it comes to accessing data in public. They’re an easy and inexpensive solution.
- Enterprise application control, in which employees are able to download only certain applications, typically from a company-approved store or list, to ensure greater safety.
- Varied tools that not only detect threats and intrusions but also provide a degree of remediation.
There are good solutions out there, but remember that your company’s security all starts with a strong and well-thought-out security and enterprise mobility management policy. Every company and every business needs one.
If your company has such a policy, be sure that it extends to every mobile device. The tools and the types of protection may be different, but the principle is the same: How might our company and our people be exposed? How are we vulnerable?
Because the truth is you are exposed and vulnerable, every hour of every day.