As 2018 draws to a close, we’ve seen numerous cyberattacks on companies and institutions where mobile devices have played an important role. As we usually point out, one of the leading reasons for this is the fact that many companies still place the main focus of their cybersecurity on their networks, platforms, servers and desktop computers, overlooking the cyberattacks that may get in using employees’ corporate mobiles as an attack vector.
For this reason, it’s a very good idea for companies to be aware of the following four kinds of security risks related to these devices. This way, they can be taken into account in their security strategies, and prevented as efficiently as possible.
1.- Cryptojacking
This kind of attack is the unauthorized use of a device to mine cryptocurrencies. Effects of this attack can vary: from lowering device performance, to physical damage of affected devices. Though it started out targeting desktop computers and laptops, it has experienced a major surge on mobile devices throughout the year. As we underlined in our whitepaper, it has become the leading threat to the security of electronic devices in 2018, even though it has not experienced such media attention as other cyberattacks.
We’ve said it many times before: as with most threats, prevention is key, and with mobile devices, this includes instilling in employees the importance of secure browsing, avoiding suspicious URLs, not downloading unknown apps, and periodical revision and updating of each and every device.
2.- Data breaches
According to a Ponemon report, companies have a 28% chance of suffering some kind of incident involving data being breached in the next two years. With the new GDPR in effect, this has become a particularly sensitive issue for companies, since some have already received some relatively high fines for infringement.
In the case of mobile devices, although incidents of data breaches may seem minor compared to those involving desktop computers, where employees normally work with files containing data, they also pose a risk for another reason: the more limited storage capacity of these devices means that many users store some of their apps and files in a public cloud, which may not be controlled by the company. And in the past, these kinds of cloud, such as iCloud, have suffered numerous attacks, which have even affected some celebrities.
Minimizing the risk of data breaches on mobile devices, as always, is all about prevention, and of course making sure that employees are careful when handling information. As a final barrier, there are solutions, such as Panda Data Control, that constantly monitor all endpoints in order to detect anomalous behavior in the management of files containing data.
3.- Insecure networks
A company’s mobile devices are in constant movement and, as such, are exposed to many networks over which the company has no control. The most common case is open, insecure Wi-Fi connections in public spaces. Cybercriminals can leverage these networks to steal sensitive information from the device, or even end up taking it over. One of the most dangerous methods are Evil Twin AP (access point) attacks. Cybercriminals use the same SSIDs as the authentic access point so that the user mistakenly connects on them, enabling the criminals to steal information.
Increasing employee awareness about mobile cybersecurity risks is, once again, the first port of call: no connecting to suspicious Wi-Fi networks, and no using sensitive information or financial data on public Wi-Fi are good starting points. But it is also a good idea to have security solutions that immediately alert users if the network is suspicious before connecting to it.
4.- Social engineering attacks
Cybercriminals who use social engineering attacks look for weaknesses in human nature. That is, they use deception so that the users themselves are the ones to let the malware in, whether by clicking on a URL, downloading a file, or providing data where they shouldn’t. These are the most common types of cyberattack, and as we highlighted in a previous post, 6 of the 10 most effective phishing campaigns in 2018 contained the word ‘invoice’ in the subject, which enabled them to trick employees into thinking they were real company invoices.
And mobiles are no stranger to this kind of attack. Quite the opposite in fact. According to a study by IBM, users are three times more likely to facilitate a phishing attack using a mobile. The reason is that the barrier between work and personal matters, even with corporate mobiles, becomes blurred outside the office. This means that employees sometimes use them to browse more dangerous websites than they would use on their computers, or to respond to emails on their personal accounts that can put the device at risk.
Here, employee training is also key, so that they learn to browse safely on their corporate mobile, to quickly spot phishing emails, and to distrust suspicious attachments.
As we can see, the risks of mobile security can pose a serious danger for companies. As such, in order to stop corporate mobile devices from becoming an attack vector, it is vital to combine cybersecurity training for our employees with the use of the best advanced cybersecurity solutions.