While the average worker has grown as comfortable using mobile devices as desktop computers, security teams have yet to catch up. Mobile devices have emerged in recent years as the leading platform for cybercrime and cybersecurity threats against organizations. However, organizations are still working to protect these relatively new additions to enterprise networks, especially since they often contain a mixture of business and personal data.
Some of the biggest mobile security threats companies are seeing recently include:
- Phishing Threats: In the past, phishing attacks largely took place by email. Today, they’re primarily happening through mobile channels, such as text messaging (SMS), Facebook Messenger, WhatsApp and phony websites that look legitimate, including some that even start with the secure HTTPS extension. Spear phishing is also a rising threat as hackers target specific employees or organizations through mobile devices in order to gain access to sensitive data.
- Mobile Malware: Every website visited or link clicked has the potential to infect mobile devices with malware, such as spyware, ransomware, Trojan viruses, adware and others.
- Fake Public Wi-Fi Networks: Many mobile workers today use public Wi-Fi networks at coffee shops, airports, restaurants and other locations whenever they’re working outside the office. Because most cybercriminals are aware of this, they often leverage these networks to trick mobile users into connecting to fake Wi-Fi networks, placing data at risk. What’s worse is, even when a company does have a policy in place against using public Wi-Fi networks, 81% of employees admit they still use them anyway.
- Malicious Apps: The world is full of software applications that can either be used over the internet or downloaded from websites, Apple App Store or Google Play. Many of these applications are legitimate and safe to use, but there are also thousands that aren’t. Thus, downloading an app or granting an app permission to access functions on a mobile device may expose the user’s company to a host of security and privacy risks. Some apps even collect data without asking the user for permission.
- Data Leaks: Data leaks occur with any unauthorized or unintentional transfer of data from inside an organization to an external party or destination. These leaks can range from someone inside a company accidentally transferring confidential or sensitive data to a public cloud, instead of a private one, all the way to an attacker or a disgruntled employee deliberately stealing the company’s data. Mobile devices, which often contain a mixture of business and personal data, make it even easier to blur the boundaries around enterprise data inadvertently or purposefully.
Even though these threats are real and continue to grow every day, most companies still don’t have robust security in place to protect and defend themselves and their mobile users.
To overcome the challenges of mobile security threats, companies must:
1. Take proactive steps to safeguard mobile devices and users:
- Ensure the company employs IT people who have both the mobile and security skills needed.
- Help employees keep mobile operating systems and security patches up to date.
- Add antivirus software and data loss prevention (DLP) tools to mobile devices.
- Provide employees with better and easier ways to work besides connecting to unsecure public Wi-Fi networks, such as by finding virtual private network (VPN) replacements.
- Ask employees to carefully review app permissions before giving them access, and delete applications or disable permissions that may be considered high risk or could be misused.
- Encourage or require employees to use multi-factor authentication (MFA) tools when connecting to the corporate network on their mobile and personal devices.
- Keep up to date on the ever-changing mobile security threat landscape.
- Consider creating an awareness program to bring security to the forefront of employees’ minds, keeping them actively thinking about security threats as they use their mobile devices and providing best practices to ensure sensitive data is protected.
2. Put a more modern architecture and comprehensive security solution in place that will:
- Provide mobile users with secure access to their company’s network and applications without having to continually connect and disconnect.
- Control and limit access to the company’s network and applications based on device characteristics, such as operating system, patch level, presence of required endpoint software and so on when accessing sensitive applications.
- Allow the company to continually view and inspect traffic to identify and stop any unauthorized or malicious activity.
- Enable the company to apply its security policies across multiple environments.
- Help enforce threat prevention and block malware.
Evin Safdia - 15 October 2019
Do you want to learn more about this subject, or do you have specific questions? Don't hesitate and reach out! Speak with a solutions expert or architect. Give us a call or leave a message. Our team of Palo Alto Networks technical experts are ready for your inquiries.
Technical Marketing Manager, Palo Alto Networks