Business mobile phone security threats: are you safe?

Mobile Security

Mobile devices are absolutely everywhere, and Ofcom has gone as far as to declare the UK a full-blown ‘Smartphone Society’. They can’t be far wrong, as now 76% of the UK adult population own one (according to Deloitte). 10 years ago, Mobiles were small gadgets used for little more than sending SMS messages, and now they’re powerful, multi-functional devices capable of so much more.

Sure, desktops have got more powerful over the years, but no technology has evolved like Mobiles - they’re now mini-computers in their own right: offering an intuitive user-experience, thousands of apps, always-on connectivity and (most impressively) complete mobility; it’s no surprise that uptake is showing no signs of slowing. This groundbreaking trend in favour of Mobile, combined with more sensitive data being hosted in the cloud, means that securing data needs a new set of tools and security strategies. A recent BT survey found 40% of UK businesses had suffered a security breach from BYOD (bring your own device) Mobile Phones in 2014.

Top Business Mobile Phone security considerations

There are only two — but both absolutely fundamental — reasons why new strategies are vital to dealing with business phone security threats.

1. Reduced level of IT control

Mobile adoption in business is being driven by the consumer, much in part because Mobile is all about the end user. Consumers have the pick of Mobile platforms and a wide choice of apps to help them stay productive. This is a huge contrast to desktops, which can be configured by IT to limit access and application usage.

It’s virtually impossible to enforce a single Mobile OS, device, and whitelisted apps across a whole business. Also, more often than not, locking down devices is a strategy met with friction, and followed by attempts to bypass policies - thus defeating the very objective!

2. Outdated security methods are obsolete

To explain this we are going to have to get down in the technical. Desktop operating systems adopt an agent-based security method, this works well as you can place a piece of software on the desktop that controls the processes and data belonging to all other applications.

Sadly, this method does not translate to Mobile devices due to the fundamental differences to the way operating systems are designed. Mobile OS’ are designed around a sandboxed architecture, enabling isolation of apps and associated data, which can only interact and share data through well-defined mechanisms.

This means Mobile OS’ have inherently greater security levels than desktop, but it requires additional tools to leverage and improve specific security capabilities.

Mobile attack vectors

Firstly, let’s run over what an attack vector is. TechTarget defines this as being:

“…a path or means by which a hacker can gain access to a device or network server in order to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element…”

Trends such as BYOD (bring your own device) are only accelerating the usage of Mobile devices in day-to-day business, as such businesses are being exposed to increasing security risks and threats. This creates a much wider surface area for hackers to seek out potential breaching opportunities.

Mobile security threat vectors can be summarised into the three categories:

Device based threat vectors

As Mobile Devices are used for business email, data access, and data sharing, all through different applications, devices provide quick access to large amounts of sensitive data. This data could be compromised by:

  • Always-on connectivity which could allow unauthorised access to data
  • Mobile devices are small and valuable, making them susceptible to theft and loss
  • Software vulnerabilities that allow “jailbreaking” or “rooting” of devices which can compromise data

Network based threat vectors

The main attraction of smartphones is that they’re continuously connected - and require data connections to work seamlessly. As a result, the enticing prospect of free Internet via an unsecured public network may be too much to resist. Network threat vectors exist in the form of:

  • Wi-Fi sniffing tools
  • Sophisticated Man-in-the-Middle (MitM) attacks
  • “Rogue” access points

User based threat vectors

Mobile empowers the end-user. Often well-meaning users will engage in risky behaviours that could compromise business data by:

  • Using malicious apps
  • Using unapproved apps to share and sync sensitive data
  • Using unapproved productivity apps that save copies of business data
  • Jailbreaking/ rooting devices to bypass security measures

All of the listed threat vectors are also applicable to laptops, but as Operating Systems & Apps are different, purpose-built security platforms must be utilised to mitigate security risks.

Data loss prevention countermeasures

Implementing countermeasures to prevent data loss and enhance security on a Mobile device requires a layered approach.

This layered approach can be implemented by using the following methods in unison. We have created a short list of sub-actions to achieve superb security for your Mobile applications:

Secure the operating system

  • Sandbox apps to stop malware from accessing device data
  • Allow only access to specific app stores
  • Restrict jailbreaking/rooting
  • Patch OS vulnerabilities as soon as they are made available

Authentication

  • Remotely configure passwords
  • Auto-wipe device after a defined amount of failed authentication attempts
  • Enforce identity for business applications

Remote wipe

  • Company owned device = wipe all data
  • Employee owned device = only wipe business data

Encryption

  • Encrypt all business enterprise data

Data sharing

  • Set “do not allow” commands for business email – forwarding/ opening of attachments in unauthorised apps/ screenshots etc.
  • Set “do not allow” commands for business apps - copy & paste/ backups etc

Application lifecycle management

  • Prevent download of rogue apps
  • Blacklist unauthorised apps
  • Whitelist authorised apps
  • Publish, distribute and update business apps

Secure browsing

  • Allow secure access to web apps located behind firewall
  • Prevent data loss of downloaded documents and cached web content
  • Protect against “drive-by” malware browser attacks

Video: 7 Ways to Protect Your Business Security Data

 

Conclusion

There’s pressure on IT staff to support new Mobile operating systems, the latest apps, and new device features, but what many of your colleagues neglect to realise is the importance of securing data viewable on these smart devices.

It may seem like an impossible task to manage all of your mobile security policy & procedure, but it’s important to 1) not panic and 2) not rush into supporting the newest mobile technologies when you’ve not got the security protocol in place to manage it.

Immervox has specific security management platforms for Mobile, so IT managers can easily setup and manage their business’ mobile security needs. Layered security controls are vital to mitigating the risk of data loss on both business-owned and personally-owned devices.

Ultimately, managing and sweeping up after a major data/security breach incurred via a mobile device is much more of a challenge than pro-actively managing Mobile security. Save yourself a disaster by staying on top of your security procedures to limit the possibility (and limit the consequences) of any attack.

Free eBook:  A Guide to Business Phone Security in 2016 Get your eBook
21 April 2017

Very few professions have evolved like IT management has in recent years. Even non-technical directors are waking up to the value of data and systems. It's not surprising, as IT has the capability...

Read more
31 March 2017

A round-up of some of the most interesting stories and articles that you might have missed in the world of telecoms and IT.

Read more