How Careless App Users Become Unintentional Insider Threats
The average mobile device user has grown accustomed to the near-instant gratification offered by app stores, and may not know (or care) about security best practices, such as vetting apps and updating their device’s OS. An article by IT firm Forsythe notes that these users can become unintentional insider threats by operating mobile devices that leak sensitive data for any cybercriminal to gather.
“Most people download applications from app stores and use mobile applications that can access enterprise assets without any idea of who developed the application, how good it is, or whether there is a threat vector through the application right back to the corporate network,” the Forsythe authors noted. And they caution that a related issue arises when employees use personal cloud services on mobile devices as a kind of shadow IT: “when used to convey enterprise data, these applications can lead to data leaks that the organization remains entirely unaware of.”
The Need for Vigilance and Cyber Hygiene
A variety of tools allow infosec teams to remotely manage mobile devices — including employees’ personal smartphones — and control device configuration, enterprise content generation, and more. But even with these technologies in place, organizations are still at the mercy of end users, to some degree. Will they download vulnerable or malicious apps, installing malware on their devices? Will they download apps from risky third-party stores onto jailbroken devices (known as sideloading)?
The issue is somewhat analogous to phishing. While plenty of tools exist to prevent phishing attacks from reaching users’ inboxes, some will slip through. And when that happens, an organization’s best defense is to have vigilant end users who are well-versed in cybersecurity best practices. Similarly, when users are browsing mainstream app stores, those who have participated in security awareness and training will be much more likely to identify and avoid potentially vulnerable and malicious apps.
Combining Technical Tools with Security Awareness and Training
The DHS’s Study on Mobile Device Security details many technical strategies for defending against vulnerable and harmful mobile apps, but it places particular emphasis on end-user security awareness and training. “Similar to the situation with threats to PCs, user awareness and training is the first and often the best defense against many threats. Understanding the threat landscape and maintaining up-to-date software can be a significant deterrent,” the study states. “Additionally, users should avoid (and enterprises should prohibit on their devices) sideloading of apps and the use of unauthorized app stores.”
When it comes to BYOD and corporate device management, the best solution for organizations is the same as with other sources of end-user risk: a combination of technical tools and a commitment to cybersecurity education. In addition to applying mobile management tools, infosec teams should provide employee awareness and training that emphasizes mobile device security and mobile app security. The two approaches complement one another, offering protection against insider threats as well as external attackers.
Subscribe to the Proofpoint Blog