A prime example of this is the evolving nature of ransomware. Previously, ransomware attacks tended to target computers and servers, but now they also pursue smartphone operating systems.
Vulnerabilities through apps remain. Legitimate but unsecure apps can leave devices exposed. There are also malicious mobile apps that spoof legitimate applications and install malware on the tool. For example, at the time that many people were installing Covid-19 tracking apps, a high number of these kind of applications was available, so it was easy for users to unwittingly download a malicious version.
Security challenges in mobile devices: Man in the Middle (MitM)
Man in the Middle (MitM) attacks (covert interception of communications) also remain prevalent, especially since smart devices can automatically connect to local networks. This feature of these smart tools can be exploited by malicious actors to spoof legitimate networks, to eavesdrop on confidential communications and intercept sensitive information.
Under this onslaught of threat vectors against their mobile devices, multi-national corporations may be tempted to simply ban mobile devices from their networks, thus blocking such attacks. For the processing of some types of sensitive information, this approach may be unavoidable; however, for most businesses, the resulting limited connectivity would be overly detrimental due to diminished productivity and efficiency.
With the appropriate policies in place, enterprises can take advantage of smart devices whilst ensuring their networks remain protected against attacks.
The key role of education
A core element of any security policy is education. A workforce that is appropriately educated in the latest threats facing a company, and what can be done to avoid them, already mitigates the risks. Rather than educating the staff using mandatory seminars, corporations need to make this part of an ongoing conversation and regularly share news relating to the latest threats. Where appropriate, employees can be educated in using the corporate network for sensitive information and restricting their external usage to non-sensitive communications.
A necessary part of the education process is having a robust acceptable use policy (AUP) in place. This guidance document will define the appropriate uses of corporate devices – for example never sharing the unlock codes with other people for any reason.
Best practices for security
Companies can also mandate certain expectations at a hardware level. With the appropriate security software in place, the device settings can be locked down so that only those with sufficient administrative privileges have permission to access them on smart devices.
Security for downloading apps can be achieved using ‘allow’ or ‘deny’ lists. Allow listing is more secure: it will only allow specific apps to be downloaded and installed. On the other hand, it is also very rigid and can quickly become outdated. It can also lead to inefficiencies, should users need a certain app to complete a task. Conversely, deny listing is less secure, as its success is based on those who curate the list having sufficiently up-to-date knowledge about emerging threats within the app sphere. There are also hybrid methodologies that may be worth investigating for certain use cases.
Restricting connectivity, either wirelessly and/or through cable, so that only selected connections can be made, can further secure devices. Blocking wireless connections will prevent smart devices connecting to spoofed networks, but can limit their connectivity and thereby reduce their effectiveness. Likewise, cable connections can be blocked, preventing malicious connections from accessing the device directly. Unfortunately, this might increase the overall load on a 4G/5G network, especially when large files are shared.
Corporations can ensure that they have the capability to remotely wipe corporate devices if they are lost or stolen. This is an increasingly important feature that modern companies need to consider, as unsecured smart devices can effectively offer unrestricted access to corporate networks.
Although there are a significant number of ever-evolving threats facing smart devices, the appropriate policies and processes will allow enterprises to take full advantage of their connectivity to enhance productivity and profitability.