The modern workplace is evolving, and as a result it’s becoming more complex for IT departments to efficiently manage and secure access to all of a company’s assets. The workplace is no longer confined to a specific office building or a designated company machine. Instead, work is being done on the go — from home, a coffee shop, or a hotel — and oftentimes it’s done with the use of a mobile device, whether it’s company provisioned or not.
With the overall use of mobile apps on the rise, mobile devices in particular are introducing a new set of security concerns for organisations. So, what vulnerabilities do mobile devices introduce, what attacks are aimed at mobile phone users, and what can enterprises do to protect themselves against these threats?
Mobile phones are difficult to protect, and even if every device across the organisation is armed with an anti-malware app that’s regularly updated, criminals can compromise a business’ most sensitive assets by using other, more effective methods. For example, a mobile user is 18 times more likely to be exposed to a phishing attempt than to malware, and the latest phishing scams fool even the savviest of users.
When it comes to email specifically, which is one of the most common avenues for phishing, it is much harder to scrutinise the validity of a message on a mobile phone compared to a desktop. The limited preview that mobile phones tend to display can make it far harder to spot a malicious sender on a mobile device than on a desktop computer. What’s worse is that employees are more likely to first see a message on a mobile phone.
Email isn’t the only place where mobile users are vulnerable. Mobile web browsers and messaging apps are also increasingly targeted by phishers. App store and Google Play users should be careful to look out for fake apps, which look like the real thing and steal your login details when you first access them.
Additionally, busy employees on the move often make use of public Wi-Fi where it’s available, but this can leave them vulnerable to another form of attack. It can be convenient that Wi-Fi connections are widely available for free, but not all networks are genuine. Hackers have been known to float spoof connections to fake public Wi-Fi networks.
In these scenarios, unsuspecting users log on, and by doing so they unknowingly provide a hacker with access to all the information transmitted when they connect — from login credentials to confidential documents — unless the user’s connection is encrypted. This is called a “Man in the Middle” (MitM) attack.
The portability of mobile phones can also be a security concern. Between April 2016 and 2017, more than 26,000 devices were lost on the Transport for London network. According to think tank Parliament Street, these losses raise serious questions about the threats that individual devices pose to company data security since many of these lost devices and apps are not adequately protected.
In many organisations, mobile phones are used as a second authentication factor via SMS or authentication apps, so losing a mobile device may even give cyber criminals the key to enterprises’ sensitive information. Not to mention, the costs, time, and resources that are incurred by the IT support team can be astronomical if that individual’s phone contained applications used for the enterprise. Whether it’s due to lost, stolen, or damaged devices, re-enrolling apps on a new device is an inconvenience to all parties involved.
Stepping up mobile security
Although it is convenient to connect and do business wherever we are, it can cause problems that are costly and time consuming to solve. If hackers successfully obtain the sensitive information they seek, it takes organisations an average of 191 days to find the source and contain the breach. In 2017, such attacks cost businesses an average of $3.62 million to remediate – a figure set to rise after the first fines for GDPR non-compliance are issued.
The fact that personal mobile devices are often not considered part of an organisation’s overall security policy means that these devices will be more vulnerable to attack. It is easier to ensure that all business and communication is conducted in compliance with any relevant regulations while on the company’s premises, but managing risks off-site can be more complicated and costly. Fines and other penalties for non-compliance can make the cost of a successful attack spiral.
Introducing stronger authentication
With an increasing number of stolen login credentials available on the black market, and rampant phishing scams, it is critical that any mobile application has the option for strong authentication. Usernames and passwords are no longer providing adequate security.
That said, there are some unique considerations for mobile authentication. Many authentication methods today — like SMS or mobile push apps — rely on the phone as the trusted second factor. However, in a mobile app setting these methods can no longer be considered as trusted second factors as they are tied to device itself. If the device is compromised, so is the authentication method. Additionally, one-time codes delivered via SMS or app can be spoofed by porting a number to a different mobile device or can be very unreliable at the mercy of the phone networks.
While strong authentication is about improving the security to the mobile application, the app is at risk if the authentication solution itself has a vulnerability. Therefore, it is important for enterprises to deploy a second factor other than a phone that can be used to establish a trusted relationship between the phone and the apps being used. By using an external hardware-based authentication solution, it can provide a trust anchor, or ‘root of trust’, that ensures that the authentication solution and end user practices are secure.
With an external authentication method, organisations can also enable a variety of user verification or step-up authentication assurances such as requiring a PIN in addition to the authenticator, or re-presenting the authenticator for certain in-app actions that need a higher level of security. A good example of this would be transferring a large sum of money within your banking app.
Creating a security-first culture
Aside from the technical solutions such as strong authentication, business culture also needs to change. Organisations must take the proper steps to protect the fleet. For example, employee training to help staff recognise the risks they face off-site as well as in the office can help to mitigate mobile threats. Additionally, mobile devices used for work should also be regularly checked to ensure their operating system, web browser, apps and any security programs protecting them are up to date.
Tommaso De Orchi, Director of Product and Solutions, Yubico
Image Credit: Varnish Software