People, your employees, are now spending more time interacting with their mobile devices than they do with their significant others. Smartphones are a constant companion for many people. These devices have become an integral part of their lives, providing support in many areas. But are the phones we find so difficult to put down a threat to business security?
Smartphones have permeated the workplace and become intertwined with the working day. The average employee likely checks work emails on their phone, downloads attachments containing client data and they may also use a file sync/share solution on their phone to access work files remotely.
Unfortunately, this is a huge risk to the security of data – that of your customers, and your own company’s too.
Cyber Criminals are Targeting Mobile Devices
Many people assume that their smartphone is not at threat from viruses and malware. This belief is even more common when the device in question is an iPhone or iPad. The reality is that malware DOES exist to target your smartphone, and due to the much lower rate at which people install antivirus software on their phones compared to their computers, cyber criminals are specifically targeting these devices. 97% of mobile malware is Android based, but iPhone users are not completely safe either.
Many apps on popular app stores contain Malware. On some stores, such as the Android store, anybody can get an app onto the store – meaning you have to be really careful what you download. It is more difficult to get apps onto the Apple app store – but there have been cases of iOS apps containing malware too.
Once malware has been installed, it can monitor anything you do on your phone, allow somebody to sift through your work emails, access files you’ve downloaded – such as sensitive attachments in business emails, and even capture login details to your online banking service.
What if mobile devices are lost or stolen?
Of course, defending employee phones against cyber threats matters little if it’s a simple case for a stranger to swipe to unlock them if they’re lost or stolen. Employee devices should be protected by passcodes or fingerprint authentication. A lost or stolen phone can be a treasure trove of easily accessible information if it falls into the wrong hands, so enabling these basic security features is essential.
All of your employees should be using these security features on their phones if they use them for any work related purpose, even if that’s just checking emails. You can also enforce this with a mobile device management policy.
File sync and share solutions designed for business use (the only ones you should use) will have remote wipe capabilities – so as soon as the device is missing, sensitive information can be wiped from it remotely, by an administrator.
Employee Education is Key
1. Teach employees about phishing scams.
Phishing is a huge problem at the moment. It involves emails which are disguised as legitimate communications, attempting to perseuade the recipient to click on an attachment or link contained within the email. Doing so can download malware, or take you to a website that will download malware. Whilst these most commonly affect PCs, phishing attacks exist to target mobile devices too.
2. Enroll employees in security awareness training that TESTS THEM.
Training and education on security best practices is often forgotten by employees, or never put into practise. Enroll your employees in simulated phishing email tests so they actually get into the habit of assessing suspicious emails. Clicking on one will mean they have to do further training, so there’s a real reason not to get caught out!
3. Employees should be sure to protect all their devices with passwords.
Devices protected by passcodes or fingerprint authentication, cannot have their data read by strangers. Even if the finder plugs the device into a computer, they will still have to bypass the lock on the device to access files.
4. All devices used for business should have a “wipe” function.
This provides another level of protection, as the finder of the device may eventually figure out the password or passcode. Now you can wipe it before they do.
5. All devices used for business should erase their data automatically after a set number of password attempts.
This will discourage “brute force” methods of unlocking the device.
6. All devices, especially those running Android, should be required to have anti-virus software.
Without anti-virus software, any malware can install itself. Anti-virus won’t be 100% effective at spotting the newest threats, but you’ll at least be protected against the vast majority.
7. Employees should never “jailbreak” or “root” a mobile device.
Manipulating the device’s factory installed operating system breaks down many of its security features and can potentially leave many vulnerabilities that malware can exploit.
8. Employees should activate their update alerts immediately rather than opt for “remind me later.”
These updates are vital as they provide fixes for known security vulnerabilities. On all devices, updates should be installed as soon as they are available.
9. Employees should be made aware that Wi-Fi in public is not secure.
Public wi-fi networks often say they’re not secure, but many people just ignore this notice or don’t really know what it means. An unsecured network means that someone else on the network can potentially intercept data sent or received by your device.
Cyber criminals may even set up their own networks in public places, name them something relevant, like “starbucks free wifi”, and then collect user information from all the people connecting to their network (email addresses, passwords, banking details etc.).