Risky Business: Mobile Security Threats
We’ve spoken in the past about mobile device security, including our two-part series focusing on smartphones, and we imagine this will be a hot button topic for years to come. Smartphone and tablets are only becoming more sophisticated, and with the emergence of wearables like Samsung and Apple watches and the continuous expansion of the Internet of Things (IoT), connections and communications between devices — and the data they generate — will only continue to multiply.
With this growth comes new challenges for security — and new opportunities for scammers and hackers. When mobile phones were merely used for making phone calls while on the go, significant threats numbered in the single digits, namely the potential for voice phishing (vishing). Now, the dangers number in the thousands.
Phishing emails, smishing texts, unsecured WiFi connections, and Bluetooth vulnerabilities are likely to come immediately to mind as far as threats associated with modern mobile devices. But it’s important to recognize that nearly every “smart” feature poses a risk to your business. GPS tracking can reveal schedules and habits. Irresponsible social networking can give scammers insights into your employees’ personal and business pursuits. And virtually every app has multiple potential pain points disguised as permissions.
Take, for example, a study recently completed by Wombat co-founder Norman Sadeh and a team of researchers at Carnegie Mellon University, which showed that Android applications are requesting (and receiving) location data from users thousands of times per week, at all times of the day and night. As Sadeh stated, “The settings we have available on smartphones are very limited when it comes to giving us the ability to deny access to this information”.
Jason Hong, also a Wombat co-founder, has extensively studied the privacy implications associated with mobile apps and led a team of Carnegie Mellon researchers in developing PrivacyGrade.org, a site that allows users to review independent evaluations of app permissions and access requests. Hong told WIRED that free apps tend to be the most risky and that “many developers don’t even realize how sketchy their app’s behavior can be.”
Three Mobile Security Practices to Implement Today
Whether your organization supports a BYOD policy or you supply and manage your own stable of devices, it’s critical that your employees understand the best practices they can use to protect the business and personal data that is stored and shared through their smartphones and tablets.
Our Mobile Device Security interactive training module is designed to help users recognize the importance of physical and technical safeguards, and help them improve the security of their mobile communications and connections. Our Mobile App Security module, which will be introduced later this year, will teach users how to do their due diligence before downloading a mobile app.
To help you shore up mobile security in your organization in the short term, here are three simple, effective practices to ask of your employees today:
- Go above and beyond a basic password – As we shared on our blog, the four-digit passcode that is the default on many devices is simply not a high enough bar to set with regard to a locking mechanism for smartphones and tablets. At minimum, users should upgrade to a six-digit code, though alphanumeric passwords and biometric options (think fingerprint scanners) offer even greater protection. But a word of caution: assuming your users understand the difference between a good password and a poor password is a mistake, as is evidenced by SplashData’s 2014 list of the most common passwords.
- Limit mobile interactions to trusted sources – Too many people are too lax with the connections they make via their mobile devices. Employees should be cautious about the emails and text messages they interact with, the WiFi networks they connect to, and the Bluetooth devices they pair with. And they should absolutely research every app prior to downloading it. Reviews and web searches can help reveal questionable permissions and dubious developers.
- Get serious about physical security – It can’t be overstated: portability, as it pertains to business devices, is both a convenience and a curse. According to a Consumer Reports study, 4.5 million smartphones were lost or stolen in 2013 in the U.S. alone. Consider for a moment the amount of data and the number of systems a mobile device gives access to. And then consider that some of these devices are no larger than the palm of your hand and are highly targeted by thieves. As a rule, devices should never be left unattended in public spaces, including office areas, not even for a few moments. If employees make a habit of physically securing their devices, it will reduce risks associated with loss and theft.
Did you read about the launch of our new Security Essentials interactive training module? It educates employees about a range of cyber security best practices, including safe use of mobile devices.
Attention RSA 2015 attendees: Schedule a demo with us to learn how you can decrease risk to your organization by employing the Wombat Continuous Training Methodology. Research from the Aberdeen Group shows that our approach can reduce risk and business impact by up to 50%.