Six Tips To Secure Mobile Devices In Your Organization
By Stu Sjouwerman
Smartphones are ubiquitous, and it is very common nowadays for people to use personal mobile devices for work. While it can add convenience and boost productivity, mobile technology also represents a serious threat to security. According to CheckPoint’s Mobile Security Report 2021, nearly every organization (97%) faced mobile threats last year, and 46% of them had to deal with at least one employee downloading a malicious mobile app.
Major mobile platforms are huge targets for cybercriminals and other threat actors. Ensuring security amid a sea of third-party apps on devices that are designed for easy connectivity is a challenge. InfoSec pros and IT departments are striving to strike the right balance on mobile security, giving employees enough freedom to get the best from mobile devices without too much exposure to risk.
Every organization should have a strategy in place to improve mobile device security. Thankfully, there are some obvious places to start.
Understand what you need to know about smishing.
Unlike most email clients, smartphones come with no built-in spam filters, antivirus, or anti-smishing checks before the text/SMS (short message service) arrives. Cellphone carriers do not block or inspect embedded URL links. Users are prone to clicking these bogus links, which, if connected, can open the door to trouble.
Text/SMS messages are weakly authenticated by design. Users cannot check the domain easily to verify their identity. SMS messages may arrive from spoofed or borrowed/shared telephone numbers. The URL link is usually the tell-tale sign of a smishing scam, but it is typically disguised; malicious senders use URL shortening services (like TinyURL or Bit.ly) to hide the source.
Suggest to your people that they expand the URL first by using a URL expander service (like Urlex or ExpandURL). Smishing attempts are easy to spot if you know what to look for. Users should ignore, delete or report them.
Regularly update and patch software.
New exploits and vulnerabilities are uncovered all the time, so it is crucial to ensure that every piece of software on mobile devices in use across your organization is updated swiftly. It is especially important to ensure any mobile device management (MDM) tools you use have the latest security updates. The speed and effectiveness of security updates should also be a consideration when acquiring devices and choosing platforms or apps.
Educate employees with security awareness training.
Malware infections can usually be traced back to social engineering attacks. Phishing was by far the most common cybercrime in 2020, according to the FBI, with nearly 10 times the number of complaints in 2020 than in 2017. Fake website fronts designed to steal credentials, disguised links or files that trigger malware downloads and text/SMS messages that appear to be legitimate account-related requests from Amazon, UPS, or your credit card are all common techniques for fooling users into giving up passwords or confidential data.
The effectiveness of these attacks can be drastically reduced if the targeted employees have undergone training exercises and been taught to recognize the danger signs. Regular awareness education will equip people with the skills and knowledge they need to spot phishing/smishing attempts. Just make sure training is backed by clear procedures that trigger investigations and report findings. Model the behavior you want to see and call out and reward vigilant employees.
Employ proper authentication.
Everyone knows about the importance of strong passwords, but that is not enough. Multi-factor authentication (MFA) with one-time passcode generation via text or email is a step up and should be a minimum requirement.
Most modern mobile devices offer an even more secure authentication method: biometrics. Employees cannot lose or forget their fingerprints. They are unique in the world, and they are always with them. Fingerprint scanning or facial recognition can provide an additional layer to authenticate logins to company systems. Advanced authentication measures include using an adaptive or contextual approach, whereby the user's IP address, device location and configuration come into play as part of the MFA.
Set a clear divide between work and personal.
The blurring of the line between company and personal mobile devices makes management challenging. If the organization does not own the mobile device in question, then it may be impossible to restrict third-party apps, force updates or lock down devices when security incidents arise. Consider how to partition work and personal apps, craft clear policies about mobile device use for work and use virtualization and secure mobile gateways to restrict what lives on phones and other mobile devices.
Test your mobile security strategy.
Waiting for an attack to find out whether your strategy is working is dangerous. You should run regular security audits and hire outside parties to conduct penetration tests and identify any weaknesses in your defenses. Your internal awareness training needs to be tested with mock smishing and phishing campaigns to ensure the message is getting through to employees and that you have the right procedures and tools in place for them to ignore, delete or report issues.
Testing only provides a snapshot, so plan a continuous program and make sure the results feed back into a mitigation plan. Assess your response to incidents, not just from testing but also from any real issues that arise, and make sure you learn everything you can from them. Every test or real-life incident, whether a security failure or success, presents a learning opportunity that can help you improve your overall strategy.