Our mobile phones are rarely more than an arm’s reach away, they are our fastest gateway to the digital world, and this is not something that has gone unnoticed by hackers. Here we will look at the top mobile security threats and how you can protect against them.
According to the ONS report for mobile and computer misuse 2022 mobile targeted attacks make up more than 60% of all digital fraud and yet still many employees are using personal phones to conduct business meetings over teams and zoom, access email and other business servers and shared drives.
Ease of use and efficiency have driven this rise but not all businesses are prepared for the potential consequences. Good policy is something we have talked about at length before on this blog and this is potentially even more important of you are considering the usage of devices that have mixed personal; and business function and if your staff are often doing this from a remote, potentially public setting, accessing public Wi-Fi.
Before you can do this, you need to assess the attack surfaces that you are vulnerable to on mobile. Below is a summary of these surfaces so you can construct a sensible cybersecurity policy for conducting business on mobile, be it company or user owned.
Attack surfaces on mobile devices
We know what you are thinking, what is an attack surface? Put simply it is anywhere you are vulnerable to attack by hackers or bad actors. Any way they could steal or corrupt your sensitive, financial, and personal data. This can be an enormous and daunting task to take stock of so this should help you break it down to focus on the mobile vulnerabilities.
By narrowing down the attack surfaces risks and vulnerabilities you should be able to mitigate some of the specific threats we will cover here.
The entire attack surface of your organisation includes any and vulnerabilities in your staff, physical, network, or software.
These are the three main types of attack surfaces and some examples of how they apply to mobile targeted attacks:
- Digital attack surface – This can be broken down further into
- Known assets – allowed and known software that is managed by your existing systems and firewall.
- Unknown assets – Also known as Shadow IT, could be an account left on the phone passed to q new staff member or an app that is no longer used by the team that is still installed and logged in – these are vulnerable as they are no longer managed effectively.
- Rogue assets – malicious software, apps, typo squatted domains and impersonation are on the rise.
- Physical attack surface – The mobile phone itself – is it secured with biometrics? How easy would it be to get your data if someone stole the phone?
- Social/personal attack surface - 2022 saw a 20% rise in mobile targeted phishing scams. These are exploiting the social attack surface in that they seek to deceive the person using the phone in to allowing them access or revealing sensitive information.
With these attack surfaces in mind, it is sensible to develop pa policy that can adapt based on the usage and whether you are supplying the phone. It can be much harder to get a sense of attack surfaces on people’s personal phones, and there is a limit to what may be considered reasonable in terms of remote monitoring, so business phones that you manage and can cut off remotely are a good choice if privacy and assurance of privacy for your clients is of greatest concern.
Mobile threats and vulnerabilities to watch out for in 2023
- Phishing attacks – Still the main threat to your business. Mobile targeted phishing scams are becoming increasingly sophisticated and use email, text, and social messaging apps to initiate conversations or prompt you to click something that then installs or inserts trackers on your phone.
- Spyware – Trackers and malicious data harvesting that can hijack other applications and websites to harvest data from your phone.
- Identity Theft – If hackers can get enough information to be able to mimic you or set up an account or purchase orders in your or your company’s name.
- Out of date devices – Insecure and poorly protected devices are more vulnerable as they have not got the updated security parameters of the newest operating systems and software versions for your phone. Always keep your phone up to date.
- Poor password security – Your phone should be biometrically protected if possible and also0 have a further layer of security before other apps are accessible such as 2FA and a further password layer. These should be unique, long, use a variety of characters, numbers and symbols and be impossible to guess.
- Malicious Apps – Malicious apps are those that mimic other legitimate sites or mimic your own services to steal your data or custom. They often hijack other seemingly legitimate download links to gain access to your phone.
- Apps that take ownership of data (murky user policies) – Apps that have very long and unclear user policies or those that seem to require permissions for services they would never normally use like your contact list or camera should be treated with caution and only installed if you are sure of the applications legitimacy.
How to protect your business
It is unlikely you can mitigate against absolutely every attack surface on mobile, or indeed across every attack surface your company is exposed on. By analysing the surfaces against the risks and concerns listed above (and of course any others that your research finds are relevant to your work) , you can create a cybersecurity plan and policy that includes mobile risk factors. Here is a summary of ways to protect yourself and your business assets on mobile.
- Ensuring your cybersecurity policy covers personal and company phones separately is key.
- Supply/require antivirus and malware protection on company phones.
- Use email encryption and secure methods for logging in to company web and email portals.
- Require backups.
- Consider remote enabled tracking software.
- Educate your staff of the risks of phishing scams that target mobile
- Be a part of the solution and report any potential scams to the UK Government’s National Cyber Security Centre
Why not start 2023 with peace of mind and t book a Demo with Pie Security and find out how our email encryption tool and data compliance assessments will help your business stay secure and meet European data privacy regulations.