Mobile devices are far more difficult to secure due to challenges in physical or access restrictions, so it is important to understand the risks for company owned mobile devices.
DESIRE FOR CONVENIENCE
Nearly seamless user experience and reduced friction across user workflows is precisely what makes mobile devices less secure. Attackers can more easily trick users because they do not want to waste time on prompts, warnings, having to log into separate applications, remembering multiple passwords etc.
Users seek a hassle-free experience without interruptions or flaws like those that security apps might impose, such as by blocking malicious activity.
Security training—including outlining the dangers and risks of being complacent is essential.
Mobile devices are at risk due to their very nature of being portable. Their comparatively small size and lack of physical security renders them susceptible to loss or theft and are harder to track if the operating system has been wiped and SIM card removed.
Always maintain control of your phone such keeping them on your person rather than in a purse or bag and make sure you know how to use Find my iPhone, Google’s Find my Phone, or some similar service.
Don’t use mobile devices in public, where confidential information might be observed by unauthorized individuals—including passwords or access codes. If your phone is stolen while unlocked, access to the contents becomes immediately available.
RISKY DEVICE CONFIGURATION
Mobile devices usually run with administrator rights and rarely use anti-malware protection, particularly in the case of consumer devices permitted for company use, such as in a BYOD arrangement.
Stored data may be unencrypted, particularly on external micro-SD cards, which can put information at risk even with controls such as password requirements or biometric readers. Mobile device management solutions can help centralize and enforce security controls on these devices, but they are not without certain limitations and challenges. Enforce strong passwords and storage encryption on mobile devices.
Phishing attacks are problematic on mobile devices due to the small and narrow screens that won’t display fake URLs / domains on mobile browsers, since you can’t hover the mouse pointer over a link to show the actual location it represents.
Mobile users should be especially cautious opening links through email and may want to refrain from doing so until they can access their desktop or laptop system for a better analysis of the email.
UNAUTHORIZED ICLOUD/GOOGLE ACCOUNT ACCESS
Gaining access to an iCloud or Google account that controls the mobile device via the App Store/Play Store represents the keys to the kingdom: confidential data, credit card information, and more. An attacker with a compromised iCloud account can access the iCloud backups of the iDevice and recover data belonging to all apps on a mobile device, including messages, contacts, and call logs. Use complex passwords for iCloud/Google accounts that are frequently rotated and have associated security questions that can’t be researched or easily guessed.
SMS/text messaging do not offer sufficient filtering capabilities. An attacker can easily phish thousands of users within an hour. Phone number spoofing gives an attacker an additional edge here. If the attacker can spoof the short text message number your bank uses to communicate with you, it’s quite likely that you’ll take it seriously.
Always call the institution directly to find out whether the text message is legitimate; don’t reply to requests for credentials or confidential data.
MALICIOUS WI-FI NETWORKS
These networks, offered by malicious individuals, require the use of a portal that asks users to sign in with a Google or Facebook account that then provides them access to the user credentials involved. Since many users employ the same passwords across multiple apps, this can result in a serious series of data breaches.
A particularly hazardous variation of this threat involves these malicious networks being set up next to financial institutions and asking users to sign in with their bank username/password to gain internet access. Never use an unknown public network that demands your personal credentials to obtain access.
For more information on security for mobile devices call us on 1300 796 246 or fill out the form below.