Awareness is defined as “concern about and well-informed interest in a particular situation or development”. In the current world we live in where mobile devices are in every hand, companies are in a constant state of concern that employees may unknowingly harm or damage the companies for which they work, by unknowingly sharing or allowing access to company resources through their mobile device.
This concern has been validated in the past year, where mobile campaigns and attacks resulted with billions of dollars in damages. Ranging from ransomware attacks on hospitals to phishing campaigns on large corporation’s employees and executives.
Now, most companies and organizations would say “we need another security solution, so this won’t happen to us”. Unfortunately, the truth is that adding another solution may not do the job, because the problem still exists. The employee may still unknowingly open the company’s systems up to the attacker through their mobile devices.
This is where awareness comes into the picture. Employees need to be aware that their mobile device is a vulnerable endpoint that can harm their employer and cause significant damage. Awareness that their device on which they use company resources, can cause significant damage resulting in millions of dollars of losses. By raising employee awareness of the risks and vulnerabilities, up to a third of cyber-attacks targeted from mobile devices on organizations and companies can be prevented.
This cannot be denied or ignored anymore, companies must ensure that their employees are well-informed when it comes to mobile threats and learn how to manage situations that may develop, insuring the company’s security. This all begins with AWARENESS.
1. Downloading mobile apps from 3rd party sources
Google Play and Apple App Store both have a security screening system to ensure all their apps are compliant and secure for the users. If a malicious app is detected, it is immediately removed from the store. The real problem arises when users decide to install apps from a third-party source. The source can be from an sent from a friend to check out a new app or share a premium version of an application they “found online”, or from other app stores that seem to have a wider selection or apps not available in their country. These are some examples on how malicious apps are distributed as free online content.
Be aware of the apps you allow on your device, just like you would check who is entering your home and their agenda. Check all apps that you allow on your mobile device, including the access and data they request.
Phishing is an attempt to gain access to sensitive information, such as login credentials and credit card details, by pretending to be a trustworthy email or site. In most companies, there are filters in place to block out phishing emails attempting to get the user to give attackers their credentials. However, even with these filters in place, if you receive an email from your boss telling you that he is ‘stuck in Namibia’ and needs you to send him money or that he forgot his login password and wants you to send him yours, there is probably something phishy going on. Reports show that phishing email attacks increased by hundreds of percent in 2017 and previously in 2016 two thirds of organizations reported being victims of phishing attacks.
Employees should be aware that not every email or website should be trusted. They need to use their judgment and look at the context of their emails they receive. If something doesn’t make sense, they should not rationalize it, but question it!
3. Unsecured WiFi networks
Most people do not consider WiFi security and assume that what happens on their device, whether it be checking email or social media, is secure. What they don’t consider is the security of the wireless network to which they are connecting. You can be sitting at a coffee shop working, and unknowingly you are connected to a WiFi network where a hacker or third party is intercepting the data you are sending. This may be an over simplification of the concern, as there are many types of attacks that can be performed on wireless networks. However, there is a significant need for more education on this subject.
You own your mobile device and the data on it, but you do not own all the networks to which your device is connecting. You need to be aware that the network you are connected to may not be secure. You need to ask yourself ‘Why doesn’t this network have a password?’, ‘Why is it “FREE?”’ or ‘Is this really the coffee shop’s network? ‘Does the name make sense?’. You need to be aware and ask yourself, should I be logging in to the corporate database from this network or sending emails with sensitive data on a network that’s ‘Free’? This is a first step to protect your company when in public.
4. Pass Lock
Most people already have some type of pass lock on their device using PIN, Password, Fingerprint or even face recognition. Having measures in place, in case your phone is stolen or lost, ensure the security of corporate data on the device, in some cases long enough time to allow IT to remove the data from the device. Most companies already have in place policies requiring employees to have a password on their device if it’s connected to company resources.
Awareness can be reflected in this case when you must have all company data or files protected. In the same way money is transferred in an armored vehicle, your company’s data needs to be secure when outside of the office.
5. Security patches
No device is built without flaws and the same goes for operating systems, manufacturers and software companies. They do their best to patch security holes and ship it to the customers as fast as possible. We must be aware that if we don’t patch these security holes, we leave our devices and our company’s data open to breach and risk.
6. Rooted/Jailbroken devices
It’s a hacker’s dream come true to attain access and control over sub-systems in the mobile device’s operating system. A rooted or jailbroken device provides the hacker with the ‘Keys to the Kingdom’ where he can access and do almost anything on the device. When an employee is aware of this vulnerability on their device, they should contact the IT administrator to take the appropriate measures.
To sum up, companies need to acknowledge that mobile is no longer considered only a consumer environment. Employees own their devices, but not the company data on it.
By raising awareness on mobile risks and threats, you will help bridge the gaps between mobiles being considered only a personal asset to being considered a potential security target for cybercriminals, thus improving your company or organization’s security.