The growing shift to remote-working, both during and post pandemic, has confirmed predictions that the future is mobile and that mobile devices are set to become the standard way of accessing pretty much everything. But how will you protect your crucial business systems and sensitive data from new threats introduced by remote and mobile access?
Four main threats
Remote and mobile devices are exposed to four main threat vectors; mobile application threats, web-based mobile threats, mobile network security threats and mobile device threats.
Mobile application threats include the inadvertent downloading of fraudulent applications that look legitimate but are actually not what they purport to be. Some impersonate a legitimate application in order to gain access, or cause damage, to the device or the networks to which it connects. Others are fully functional but infected with a virus or loaded with harmful malware. Careless downloads leads to data being compromised by viruses, spyware or ransomware.
Threats from visiting websites can be very subtle. Most commonly, they trick the user into revealing sensitive information or into downloading malware. There is recent evidence of websites downloading malware without requiring the user’s mouse click (“drive-by downloads”).
Most mobile network threats arise when users access the Internet or work network from a local unsecured network, such as public WiFi in a restaurant, café or library. These are highly risky because they are easily intercepted and use little or no encryption.
Device security refers to direct physical threats to the devices themselves. Devices containing sensitive information, passwords and logins can be lost, stolen or used without the owner’s knowledge. Hijacked devices pose a high risk to personal and company information and can provide access into company networks.
Protecting your devices
Data leakage via malicious (or badly written) apps is a real danger. It is estimated that over 80% of mobile devices are insecure, meaning that hackers don’t have to try hard to plant malware or access sensitive information. Numerous studies have shown that mobile users are for more likely to grant permissions during software installations than they would on their laptop or office workstation. Carelessly granting permissions gives the app access to all sorts of data and information that can then be sent to criminals.
Security specialists like Cloudworks will advise you about installing Mobile Application Management tools (MAM). These allow IT staff to control access permissions on employee devices, wiping or denying permissions as necessary.
Again, studies show that people are more likely to open a dubious email or carelessly click a link when they are using a mobile device than they would on their home or workplace computer. Typical methods of attack include phishing emails, fraudulent text messages and even deceptive phone calls. Users are often tricked into handing over passwords, downloading malware, or inadvertently revealing information about other members of the company that can then be further exploited. Phishing attacks were the number one cause of data breaches in 2020.
Protecting your company from social engineering attacks mainly involves training employees to spot suspicious emails, SMS messages and calls. However, such training must be ongoing – because new patterns of attack are constantly emerging. Specialist security advisers can provide you with vital early warnings.
Avoiding the misuse of devices with company access can be complex but it begins by tracking all devices and carefully controlling their network access privileges. Modern access control techniques are more sophisticated than they used to be. With the right systems in place you can now easily control access on a file by file basis.
Rather than having your IT team react to an intrusion after the damage is done, you can have your entire network monitored by an A.I. capable of detecting unusual logins, access requests and other unusual activity. These security solutions can automatically clamp down on access before damage is done instead of after.