It’s an open secret that mobile devices are your weakest security link. We pretend not to know how vulnerable they are to attack, nor how exposed they leave your business. A 2019 study found that most companies allow mobile devices to access between 1/3 and 3/4 of their most business-critical information. However, mobile devices come with a host of issues made worse by the mass migration to remote work.
The remote migration made the mobile threat worse
The BYOD trend where people use their personal devices for work activities was already on the rise. With the coronavirus driving anyone who can work remotely, mobile device access to business data is now the norm and not the exception.
Cybercriminals know that mobile devices are less secure, so it’s no surprise that last year Verizon found that 4 in 10 companies were breached through a mobile device. I presume this will be even higher in 2020.
With employee home internet becoming the primary access point for business activities, the risk is amplified further. Most workers are away from the safety of the office firewall sharing their internet connection with insecure personal and home devices and those of family and friends.
How are you securing employee devices? Both work and personal?
Mobile is a different gateway
Mobile is a different gateway for several reasons, some of which are human habit. We are more vulnerable to phishing and social engineering on smartphones. It’s just harder to recognize some of the telltale signs on a smaller device, plus we’re more likely to be using that device (not a laptop) when we’re tired or multitasking.
And if you’re relying on the phishing filters and spam filters in email alone, there’s a huge security gap. As of last year, the Verizon study found the majority of phishing on mobile phones arrives not through email but rather through text messages, social media, and apps.
If you’re thinking “I’m safe, I have an iPhone” you might not know that in 2019, researchers found more iOS apps than Android apps with security weaknesses.
Why Mobile Device Management (MDM) is not enough
When 3 in 4 users blend personal and work tasks on a single device, we have to ask ourselves: why aren’t these devices protected to the same degree as our laptops? The reality is that everything we do on a laptop can now also be accessed from our smartphone. Not only are your employees accessing all of their work tools, services, and systems from their mobile devices, but they use those same phones to check personal email, browse the news, social media feeds, order on Amazon, and play games.
We don’t want to admit it but it happens even if it’s against company policy: studies show that 85% play games on the same device used for work. All of this is human nature, but it means more threat vectors and potential for infection. Regardless of whether the phone is employee-owned or company-issued, the extent of the technical protections is generally MDM and nothing more.
Why is this an issue? Mobile Device Management allows the administrator to control what apps can be downloaded, what corporate services can be accessed from the phone, and enables remote wiping in the event the device is lost or stolen. But MDM does not monitor for, detect, or prevent threats like malware, trojans, data exfiltration, phishing or malicious sites.
Without watching the traffic calling to and from the device, malware will simply go undetected. Mobile malware is one of the fastest-growing threat categories of threats in cybersecurity—including iPhones. So, I’ll ask again: why aren’t we protecting these devices to the same degree as our laptops?
The solution exists: Network-layer threat detection
Mobile doesn’t have to be your security nightmare. We already know that the best way to detect mobile threats—as well as the broadest range of threats—is through real-time monitoring of the device’s network traffic, watching both inbound and outbound traffic for anomalies and indicators of compromise. Most companies already do this for laptops. And it’s needed for phones too.
Mobile phones are the remote controls for our work and personal lives, and today they’re the juiciest target for cybercriminals. With intrusion detection and prevention (IDS/IPS) and anomaly detection, even the Bezos phone hack could have been detected. When his device saw a 29,000% increase in data leaving the phone, that is an anomaly most systems would have detected…but that protection was not there. Regardless of whether the threat comes through email, SMS, or app, device-level network-traffic monitoring sees the abnormal traffic and flags it for remediation.
Don’t ignore your biggest vulnerability. Extend cybersecurity protections to all mobile devices before someone in your organization makes a sleepy swipe that could bring down your business.
About the Author
Seasoned tech & security industry executive, Frances Dewing is CEO of Rubica, a high-growth venture-backed company bringing advanced cybersecurity protection to mobile devices and remote working professionals. Rubica is the first consumer-friendly but enterprise-grade cybersecurity product built with a “mobile-first” approach. She regularly consults with boards, Fortune 100 executives, and HNW private client groups on cybersecurity issues and best practices.