Mobile phones are no longer just phones; they are constant companions. For most people, it is the last thing they look at before going to sleep, and the first thing their eyes seek when they wake up in the morning. Smartphones are not used for just personal purposes; they are increasingly involved in the workplace too. Employees check mails, login to networks remotely, download attachments, download apps to remote work, or share data. So while they are a good support at the workplace, employee mobiles do affect workplace security.
You can’t wish away mobile phones, but you can definitely increase security measures to protect your employees and organisation. Our cybersecurity expert team in Perth, helps you understand smartphone security threats and what you can do to fight them.
Types of mobile security threats
Mobile security threats generally tend to be clubbed under one umbrella. But not all the threats work the same way. They attack mobile phones broadly in four ways.
Web – Users visit infected websites, and end up downloading malicious content without their knowledge. Such sites may be malicious or may have been infected without the website’s knowledge.
Applications – Users download applications that look legit but are malicious in nature. Again, users do not realise that the app is a malicious one most of the times and deliver sensitive data right into the hands of cybercriminals.
Network – Free internet access can be quite tempting, and risky too. Public Wi-Fi networks are at the greatest risk because they are not protected by passwords. Cybercriminals can easily hack into unsecured networks and steal data from users’ devices.
Physical loss – This happens when your mobile device is stolen or lost. If your device is not well protected, or you realise too late that your mobile is missing, it can lead to a huge loss of data. Hackers practically have all your data at their finger-tips.
How do mobile security threats happen?
Let’s see how employee mobiles affect workplace security.
Password protection not enabled
Most mobile devices do not need a compulsory password or passcode to open. Even if a password is asked, password strength practices are not enforced, leading to passwords that can be easily decoded. It is surprising to note that with mobiles becoming a holder of vast information, how people do not give mobile passwords the importance that it deserves.
Not deleting inactive apps
Another common way mobiles get infected is through inactive apps. Google and Apple do remove suspicious apps from their stores, but inactive apps on mobiles are an easy way for hackers to break into devices.
Apps not using end-to-end encryption
Some developers may use encryption algorithms with known vulnerabilities to speed up the development process even as some others may leave unknown ‘backdoor’ vulnerabilities in the encryption algorithms. Hackers exploit these vulnerabilities to gain access to devices.
Internet of Things (IoT) threats
The rapid growth of IoT brings with it, huge loopholes in security. With so many appliances connected to mobiles, they may not be monitored constantly. With a lot of latest mobiles having IP addresses hackers can use the internet to gain access to mobile devices.
Network spoofing
This happens when criminals create fake access points that look very similar to public Wi-Fi networks. Users are generally required to create accounts and login with an email and password. Most of the times, users use the same email id that they use for work purposes, and hackers can access login credentials to an organisation’s systems.
Data leakage
This happens when data is leaked unintentionally or unknowingly by granting broad accesses to apps. Such apps are mostly free, but in addition to their declared functions, send user data to a remote server where cybercriminals can mine them.
Phishing
Phishing attacks are no longer restricted to desktops, as they increasingly use text and social media messaging to spread. As mobiles are powered on 24/7, they are particularly risky. Also, emails may not show complete information to fit in the small screen. So, users may end up opening emails from familiar names, without checking the actual email id.
What can you do to protect employee smartphones?
We recommend that employees receive regular training in mobile security awareness. Many employees never realise how their personal mobiles become a gateway for cybercriminals to gain access to corporate data. They need to be made aware how employee mobiles affect workplace security. Here are some steps you must ensure that all staff follow –
- Enrol employees for security training that actually test their level of preparedness. This way, employees are more motivated to put into practice what they learn in training.
- Follow a BYOD policy. If employees bring their own device to work, it should be monitored by the IT department. Employees should be asked to follow all security procedures for their devices, the same as for company devices.
- Employees should be advised to avoid public Wi-Fi, especially with the devices that they use for work purposes.
- Employees should activate updates and patches as soon as it is available, as these updates are usually released to fix known vulnerabilities.
- Employees must mandatorily set passwords for their devices.
- Antivirus should be mandatory for all devices brought to work.
- You should ensure that employees have ‘wipe’ function on their devices. This will help to wipe data remotely from mobiles, in the event they are stolen.
Employee education and robust security measures are key to preventing and minimising cyber threats. Computing Australia cybersecurity team in Perth has been helping clients secure their systems for over two decades. See how you can use this experience to secure your organisation. Contact us or email at cybersecurity@computingaustralia.group.
Jargon Buster
BYOD – Bring Your Own Device. Employees bring their own mobiles, tabs or laptops to the workplace.
Data mining – process of turning raw data into useful information. Cybercriminals mine data and sell it or use it for their own gains, mostly financial.
Remote wipe – a security feature for mobile devices that allows for remote clearing of data from stolen devices.