Seventy percent of small-business owners see mobile services and applications as critical to their business operations, according to research by The Business Journals.
Mobile applications help business owners and managers oversee their businesses from anywhere. They can answer customer queries, push marketing materials, and track employee performance, even when out of the office.
But, the unregulated use of mobile devices and applications in businesses has risks, and they’re all security-related: data loss, identity theft, ransomware, and more.
Ninety-three percent of businesses consider mobile devices a serious and growing threat, according to Verizon. However, only 14% report having implemented basic cybersecurity practices, such as password management and authentication.
Checking rogue use of mobile devices and applications with preventive technologies and best practices should be your top priority when drawing out your mobile security road map.
5 reasons your business needs to get serious about mobile security
According to Verizon’s Mobile Security Index 2019 report, 83% of business executives admitted that their organizations are vulnerable to mobile security threats. And 73% expected mobile security threats to increase this year.
And they are rightly worried about mobile IT security because of these challenges:
1. Increased use of mobile devices in business environment: Sixty percent of employees check their work email on smartphones and 14% on tablets. Sixty-six percent of small-business owners use mobile devices to manage day-to-day operations. This increasing use of mobile devices for business means many more vulnerable endpoints that hackers can target. Poor security practices such as reusing passwords or using no passwords and not using encryption and backup techniques further increases the risks of mobile security incidents.
2. Blurring personal and official use of mobile devices: Sixty-nine percent of employees reported using work devices for personal tasks. This could be a violation of acceptable use policy and increases the risks of exposing business data unknowingly. The growing trend known as bring your own device (BYOD) further blurs the difference between personal and official devices, which multiplies the risks of data theft and corruption.
3. Evolving mobile threat landscape: Sixty-two percent of organizations believe they lack an understanding of mobile security threats and solutions. This is because the mobile threat landscape, including mobile malware, adware, and ransomware, is constantly evolving. Different operating systems (OSs) are affected by these threats differently; the fixes are also different for each.
4. Non-standard app stores: Non-standard app stores are third-party or private app stores. Many of these stores host apps that aren’t verified. What’s more, hacker-run app stores may advertise malicious or unwanted apps or repackage popular apps with harmful code to gain access to user data.
5. Reckless and rogue employees: Seventy-nine percent of organizations fear that their employees misuse mobile devices and the data stored in them. Ignorance of mobile security measures, lack of understanding of technology policies, hasty and incautious use of mobile devices, and disgruntlement or greed are some factors that lead to insider security threats.
6 specific mobile security threats you’re facing
Hackers are increasingly targeting mobile devices because of their limited security capabilities. Mobile threats are increasing in number and evolving constantly.
Some common mobile threats are:
1. Mobile malware: A program or piece of code that exploits a vulnerability or executes something malicious that puts users’ mobile devices or information at risk. Examples of mobile malware include viruses, ransomware, worms, botnets, Trojans, spyware, and rootkits.
2. Rogue applications: Programs usually installed with a user’s consent but that can have negative consequences to privacy or performance of the device due to hidden malware.
3. Configuration-based attacks: Attack vectors that have the capability of changing configuration settings by installing malicious certificates, profile changes, or VPNs (virtual private networks) that direct traffic to malicious sites.
4. Network-based attacks: Attack vectors that intercept wireless or mobile network channels and manipulate the traffic or perform man-in-the-middle (MITM) attacks. Malicious hotspots and unsecured Wi-Fi networks perpetuate such attacks.
5. Physical loss or theft: Device theft can lead to exfiltration of personal and corporate data. Devices with passcodes may be broken into through brute force.
6. Smishing attacks: Smishing (SMS phishing) is a form of social engineering attack whereby hackers use phone text messages to trick victims to click on malicious web links or download harmful apps. According to a report, 12% of all mobile security incidents involved phishing URLs and 81% of the phishing attacks on mobile took place outside the email.
7 mobile security technologies your business needs to stay safe
If you don’t implement the right mobile security technologies and strategies, it’s just a matter of time before a hacker breaks into your systems and steals data or demands ransom.
Here, we discuss some of the must-have mobile security solutions for small businesses.
1. Mobile device management: Mobile device management (MDM) is a security application that allows your IT team to centrally monitor, manage, and secure employees’ mobile devices. For businesses supporting BYOD policies, adopting an MDM solution is a must.
2. Mobile threat defense: Mobile threat defense (MTD) solutions protect mobile devices against threats using techniques such as network protection, vulnerability management, behavioral anomaly detection, application scanning, and risk management. Using MTD solutions along with MDM software helps to improve threat detection and remediation.
3. Mobile application management: Mobile application management (MAM) software solutions help in managing and controlling access to internal and commercial mobile apps (on business devices as well as those used under BYOD policies). These solutions direct users to secure app stores as well as provide administrators with granular controls to manage the apps
4. Containerization: Containerization is technology that helps create virtual pieces of a hardware infrastructure and then splits these pieces from the rest of the IT architecture.
Containerization helps improve mobile security by keeping personal information separate from business data, isolating malicious mobile apps, and storing sensitive information in an encrypted area.
5. Enterprise mobile management: Enterprise mobility management (EMM) app provides features of MDM, MAM, and containerization tools. EMM tools offer a wide range of features including device management, content control and development, identity management, mobile application management, and endpoint management.
6. Network protection: Along with securing your mobile devices, it is also important to secure the networks. Network protection tools help identify malicious traffic, rogue access points, and fake SSL certificates. Network protection tools also protect endpoints within your organization.
7. Authentication: Depending on the sensitivity of the device and data, multilayered authentication—device, container, or application—is necessary to bolster your defense. Common authentication mechanisms include two-factor authentication (TFA), access keys, biometrics, and certificates. Authentication at the device level is the minimum recommendation for all businesses.
In the chart below, we have plotted the types of security threats different mobile security solutions help defend against.
Develop your mobile security strategy in 3 steps
Having a mobile security strategy is as important as building a mobile security technology stack. Here are some steps to take toward building your mobile security strategy:
Classify data: One of the first steps in mobile threat prevention is to identify the different types of data in your mobile devices. Classify the data based on the sensitivity parameters below :
- High: Highly sensitive and confidential information such as personally identifiable data, intellectual property, confidential emails and documents, passwords, legal documents, and client and business partner details.
- Medium: Internally sensitive data such as project details, photographs, etc.
- Low: Non-confidential data such as public information, generic company details, low priority emails, etc.
Gather business requirements: Determine what mobile device types and OSs can support your business applications. Identify which mobile security technology solutions will protect the business applications, data, and mobile OSs you use.
Mobile security education and awareness training: Include mobile security education in your security awareness training program. Simulation exercises, online training, and daily security tips can help train employees to identify potentially rogue apps and to be cautious about smishing and malware threats. Employees must also be made aware of IT help desk contacts and steps to take in the event of a breach. Update your training materials regularly to include the latest threats and prevention mechanisms.