As mobile device access for workers has increased, so have the potential security threats. All it takes is one security breach via an employee’s corporately owned mobile device via a public network, and a hacker could easily gain access to proprietary company data. Most enterprises have security policies in place to thwart hackers; however, those policies are less effective when an organisation lacks visibility regarding the networks accessed by employees on their corporate devices. This lack of visibility creates blind spots that leave an enterprise’s data vulnerable to security threats.
Enterprise Mobility Exchange surveyed their audience in July and August of 2018 to uncover the biggest mobile security threats, what applications employees were using and which networks they were connecting to. The results of the survey are very concerning. Many enterprises could not identify how often they were breached. Also, many enterprises lack real-time visibility regarding which devices are connecting to their networks using corporate VPNs. Many are also ignorant of the many activities being carried out on devices.
Many enterprises harness mobile technologies to give employees increased access to company data in real-time. This helps to better serve customers, manage operations and increase productivity. Some enterprises allow employees to bring their own devices (BYOD) with others providing a corporate-owned device.
In the survey, more than 72 per cent of respondents said that their enterprises used over 100 corporate-owned mobile devices, including 32 per cent of respondents who used over 1,000 devices. Irrespective of the number of devices in place, an organisation still needs to have the same security in place. With an increasing number of devices appearing in the workplace and the associated number of mobile apps, there are an increasing number of mobile security challenges to consider.
Respondents in the survey were asked to rank the greatest mobile security threats for their organisations.
Top security threats
- 44.59 per cent - DATA LEAKAGE: Private or secure data is stolen and released to parties who should not have access to it.
- 25.68 per cent - PHISHING ATTACKS: An attacker falsifies an identity to trick a user into opening an email or visiting a website to obtain sensitive data.
- 9.46 per cent - INSECURE APPLICATIONS: Applications that lack state-of-the-art security, and are vulnerable to hacks.
- 9.46 per cent - SPYWARE: Software that is secretly installed on an operating system with the goal of getting private data.
- 5.41 per cent - NETWORK SPOOFING: A malicious third party forges an identity with the purpose of launching network attacks and stealing information.
- 5.41 per cent RANSOMWARE: A form of malware in which computer or data access is blocked until the user pays a ransom to the hacker.
Data leakage is a very serious IT health issue. Mobile phones are actively connected to the Internet of Things (IoT) over the corporate office network. The phones also have access to emails containing critical or sensitive company data that, if exposed or hacked, may result in the loss of a million-pound contract, for example.
Mobile workers are the root cause of many mobile security vulnerabilities - even without them knowing. This includes neglecting device updates, sharing company data over public Wi-Fi or even using their corporate-owned device to accidentally click on insecure links. Mobile apps are often the cause of unintentional data leakage because the majority of mobile users don’t check the permissions they are granting. Not having that latest OS version and security patches installed is always a risky practice. Also, hackers set up fake access points in high-traffic public locations, giving these points common names, such as ‘Free Airport Wi-Fi’ or ‘Guest Coffee Shop,’ which encourage users to connect.
Although many enterprises are unsure about the number of security incidents that occurred last year, most of them still believe they take security very seriously. Over 93 per cent of respondents have organisation-wide security policies regarding corporate-owned devices. However, 28 per cent do not enforce those policies, which could leave them vulnerable to an attack. In addition, 36 per cent say that they do not provide mobile security training for employees. Another 31 per cent provide security training, but not on a regular basis.
Despite these security concerns, 66 per cent of enterprises allow their mobile workforce to operate a corporate-owned device without a VPN. Enterprises use VPNs to ensure a secure connection for remote workers. By not requiring a VPN with corporate-owned devices, enterprises are more vulnerable to security risks.
Visibility of mobile devices is key
Although policies are an important aspect of mobile security, enterprises need to have real visibility into the way devices are actually being used. Without the ability to see what networks employees are connected to via their corporate devices, security policies can become irrelevant. Without this visibility, enterprises are at the mercy of every attack vector out there.
Only 53 per cent of enterprises had visibility in real time about which devices were connected to their corporate VPN. And nearly 19 per cent lacked all visibility, and nearly 9 per cent weren’t sure if they had any visibility. If an enterprise does not have proper monitoring tools showing visibility across the network, there is no way to measure whether its policies are working or not. If you cannot measure something, then you are working in the dark.
One of the most vulnerable areas for attack involves corporate device usage on non-corporate owned networks. This typically includes public Wi-Fi, carrier networks and home networks. Knowing which devices are connecting to the network allows you to measure the possible threat landscape of the particular devices against network vulnerabilities. Many enterprises lack the visibility into information that gets sent across non-corporate owned networks from corporate-owned devices.
Although the lack of visibility into mobile security threats is a major hurdle, most enterprises recognise this challenge and are starting to take action. Over 74 per cent of respondents in the survey have tools in place to mitigate, quarantine, or block a corporate-owned device that is connected to a server in an undesirable or unwanted location.
In time, organisations will be able to implement tools that monitor mobile devices in real time and also ensure that security is at par with policies and procedures of modern cloud-based infrastructures. The idea of moving towards the allocation of company mobile phones that can be tracked in real time and whether that is cost effective compared to the loss of critical data remains a big challenge.
To diminish threats on unsecured networks, enterprises can take the following action:
- Don’t allow BYOD.
- Use a mobile device management (MDM) solution, which provides more control.
- Enact more policy-based security.
- Configure devices to use a personal identification number (PIN) to lock
- Restrict behaviour or block certain apps.
- Use remote wipe so that you can delete data when the device is compromised.
One way enterprises are mitigating security threats is by auditing when users connect to public
Wi-Fi or carrier networks. Most mobile security breaches occur when a user is on these other networks. Many public Wi-Fi connections are not secure and vulnerable to eavesdropping and other threats. It is important to ensure that the activity appears normal and subsequent
access from that account is monitored for malicious activity.
Many organisations taking measures to protect devices and data from attacks are not being consistent in terms of enforcement. Also, they lack a complete picture of what users and devices are doing when not on corporate networks. Left unaddressed, these weaknesses will become more apparent with the increased reliance on mobile technologies for business-critical operations.
Lee Johnson, Director of global marketing, Netmotion Software
Image source: Shutterstock/wk1003mike