Mobile malware—malicious software designed to gain access to private data on mobile devices—is a growing threat to companies’ cybersecurity. As companies embrace remote work and more employees use their personal devices for work-related tasks, cybercriminals are finding more opportunities to exploit these vulnerable and often unsecured devices to access corporate servers and sensitive information.
The consequences of these cyberattacks can be devastating for organizations. According to Verizon’s Mobile Security Index, 33% of security professionals have reported a security compromise involving a mobile device. In addition, 47% said remediation was “difficult and expensive,” and 64% said they suffered downtime.
Cybercriminals can deploy mobile malware in a variety of ways, including through malicious apps, network-level attacks and even by exploiting vulnerabilities within the device and its operating systems. This article provides more information on mobile device security threats and steps businesses can take to prevent related losses.
Mobile Device Security Threats
As cybersecurity threats become more frequent and severe, organizations must take the time to understand the potential risks of allowing employees to use their personal mobile devices for work-related activities. The following are common mobile device security threats:
- Phishing and smishing—Phishing and smishing scams are the number one security threat to mobile devices, according to IBM. While phishing uses emails and smishing uses text, both strategies involve sending messages that contain malicious links to infect devices with malware or trick victims into sharing account details or business information. Social engineering is often used in phishing and smishing scams by weaponizing key attributes of a victim, such as where they work, their job status and their recent posts, to gain trust and get important information out of them.
- Malicious apps—Official app stores like Apple App Store and Google Play have many checks and balances in place to prevent malicious code, but malicious apps may still get through these processes. Once a malicious app is installed, hackers can steal or lock data stored in the mobile device or spread more malware.
- Insecure Wi-Fi and network spoofing—When an employee uses a compromised or public Wi-Fi network, their device instantly becomes vulnerable to cyberattacks. Cybercriminals can conduct man-in-the-middle attacks—when communication between two systems is intercepted by a third party—while remaining undetected by the user through insecure Wi-Fi and network spoofing. Insecure Wi-Fi, such as open or free Wi-Fi hotspots, can allow cybercriminals to intercept device network traffic. Network spoofing entails a hacker impersonating a network’s name to trick users into signing in, allowing them to access user data.
- Outdated operating systems (OSs) and apps—Older OSs and apps may contain vulnerabilities that can be exploited by cybercriminals. While software patches and updates are often released by developers to address security vulnerabilities, any delay or avoidance in updating an OS or app could put data stored on the mobile device at risk.
Mobile Device Threat Prevention
The consequences of mobile device security breaches can be devastating to an organization, potentially resulting in a loss of profits, data, reputation and compliance. To minimize mobile device security threats, organizations can take the following precautions:
- Train employees. Employees are the first line of defense for protecting mobile devices against malware. Therefore, cybersecurity awareness training can help employees combat scams by teaching them to identify telltale signs of phishing, smishing and malicious apps, avoid public and insecure Wi-Fi networks, and keep their devices’ software up to date.
- Install a virtual private network (VPN). A VPN connection disguises online data traffic and protects it from external access. Unencrypted data can be viewed by anyone who has network access, but a VPN restricts cybercriminals from deciphering data.
- Activate multifactor authentication (MFA). MFA can prevent account compromises by requiring users to provide multiple security credentials to access a device or account. Examples of MFA include entering a code sent to a user’s email, answering a security question or scanning a fingerprint.
- Install zero-trust-enabled applications. A zero-trust security model evaluates access requests based on predefined controls. Legitimate access requests are permitted, and unauthorized requests are blocked and logged. With this strategy, installing zero-trust-enabled applications can reduce cybersecurity risks by restricting access to applications that aren’t permitted.
- Turn on user authentication. User authentication on mobile devices verifies a user’s identity through one or more authentication methods, such as passwords or VPNs, to ensure secure access.
- Develop bring-your-own-device (BYOD) policies. A company should develop and implement BYOD policies when allowing or requiring employees to use their personal devices for work-related activities. BYOD policies should address which devices and apps are permitted and outline security requirements.
- Create device update policies. Cybercriminals can infiltrate mobile devices through unpatched software. Therefore, a company device update policy should require employees to update their devices and apps as soon as a patch becomes available.
- Back up mobile data regularly. Regularly backing up data can help companies recover in the event a mobile device is lost, stolen or otherwise compromised. Backups can protect against human errors, hardware failure, virus attacks, power failure and natural disasters.
- Implement a password policy. A strong corporate password policy can ensure that systems and data are as secure as possible. Some best practices include encouraging employees to use unique, complex or long passwords; enabling MFA; and using password management systems.
As mobile devices and their applications become increasingly utilized for work-related activities, companies must remain vigilant in their cybersecurity efforts to mitigate associated risks. For more risk management guidance, contact us today.
This Cyber Risks & Liabilities document is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. © 2023 Zywave, Inc. All rights reserved.