7 Tips to Improve Your Employees' Mobile Security
Security experts discuss the threats putting mobile devices at risk and how businesses can better defend against them.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt7879049de28e0314/64f0d35af169c52c04886adf/MobileSecSSIntro.jpg?width=700&auto=webp&quality=80&disable=upscale)
Most organizations support a bring-your-own device (BYOD) protocol in which employees use their personal mobile devices in lieu of corporate-owned ones. But it's a mixed bag: Enterprise-owned devices offer more control over security; however, the business incurs the expense and full liability for them. BYOD puts the burden of buying devices on employees, but it could present a greater risk to the company.
"A bit of a trade-off has to happen, as they're managing an aspect of something that is personally owned by the employee, and they're using it for all kinds of things besides work," says Sean Ryan, a Forrester analyst serving security and risk professionals.
On nights and weekends, for example, employees are more likely to let their guards down and connect to public Wi-Fi or neglect security updates. Sure, some people are diligent about these things, while some "just don't care," Ryan adds.
This attitude can put users at greater risk for phishing, which is a common attack vector for mobile devices, says Terrance Robinson, head of enterprise security solutions at Verizon. Employees are also at risk for data leakage and man-in-the-middle attacks, especially when they hop on public Wi-Fi networks or download apps without first checking requested permissions. Mobile apps are another hot attack vector for smartphones, used in nearly 80% of attacks.
A major challenge in strengthening mobile device security is changing users' perception of it. Brian Egenrieder, chief risk officer at SyncDog, says he sees "negativity toward it, as a whole."
"I think there's just an overwhelming trust, where that trust probably hasn't been deserved just yet, in how your data is protected and how your device is protected," he explains.
Most security professionals have to walk a fine line between securing devices and providing a seamless user experience. "There is this uneasy relationship between trying to make things user-friendly and not add a lot of friction," Ryan says. Mobile security policies should be stringent enough to protect the devices but not cumbersome to employees.
Here, these three security experts share their advice for security managers seeking to improve the security of their employees' mobile devices. Have any tips you don't see here? Feel free to share them in the Comments section, below.
Data leakage can occur in multiple ways, and most people are guilty of it: You download an app, get it up and running, skim through the end user licensing agreement (EULA), and don't realize you're enabling the app to have access to your contacts, camera, microphone, and/or a "whole host" of other capabilities and information, Verizon's Robinson says.
"Think about what you're actually enabling as it relates to applications," he continues. "Does a horoscope application really need access to your contacts?"
The other side of data leakage occurs around shadow IT. Employees often download PDF viewers, collaboration tools, and other productivity software without realizing they've agreed to their data being stored elsewhere, even offshore. "Are you OK with authorizing a third party to have access to that data?" Robinson adds. Employees should assume all their data is being stored elsewhere; if they do, they may act in a different way than if their data were kept private.
He also cautions against using free applications, pointing to social media apps' data harvesting as an example of how these companies monetize. With free apps, there's a greater probability of accessing malicious content you didn't mean to access. "Things are a little tighter when you're actually paying for an application," Robinson says of security practices.
Businesses often don't enforce password or biometric locking when a device hasn't been used for a certain time frame. "That's opening the individual and the business up to a lot of potential damage if the device is lost or stolen," Forrester's Ryan says, noting someone could access a corporate network. "Make sure you're locking access to the device and controlling access to the device."
Simple passwords and easily guessed PINs can put an enterprise at risk, he adds. Employees should be using stronger methods to lock devices and multifactor authentication to log into business applications. All mobile devices that access corporate data should be under some form of management as part of the general device usage policy. "We have a philosophy of 'separate the data from the device, separate corporate data from personal data,'" SyncDog's Egenrieder says.
Employees frequently reuse the same password, he notes. While enforcing monthly or quarterly password changes can be helpful, many attackers bypass them altogether. "The general truth is that most of the attacks and malware are getting around the password as a whole," Egenrieder explains. Many people think they're safe if an attacker can't guess their passwords, indicating a general lack of awareness of what they are truly capable of doing.
Phishing attacks have swarmed to mobile devices for two reasons: One, there are multiple ways to phish people outside email; two, people aren't as diligent on their phones.
Most organizations teach employees to spot phishing emails but don't provide the same training for other applications. If a fraudster poses as a LinkedIn recruiter and messages a victim with a job opportunity, the recipient is likely to click on an attachment promising more details.
"People just have a different relationship with the device," Verizon's Robinson says. "There's no other work device that's pretty much with you all the time ... people have a different sense of entitlement as it relates to these devices." He advises employees to be more aware of phishing attacks arriving in different applications and for employers to provide more comprehensive awareness training.
Public Wi-Fi appeals to users because it's usually faster, offloads their monthly data usage, and can handle more. The downside is it leaves traffic open and unencrypted, Forrester's Ryan points out.
The problem isn't as bad as it used to be, Verizon's Robinson says. Verizon's upcoming "Mobile Security Index" found the number of users relying on Wi-Fi dropped about 10% between 2019 and 2020. However, 26% are still using Wi-Fi for work tasks even if the organization prohibits it, which is especially a concern if the employee isn't using a VPN.
"Limit public Wi-Fi use and use cellular instead," he advises managers and end users. Cellular networks bring stronger security and is safer than public Wi-Fi, even with a VPN.
With smartphones, and especially in a BYOD enterprise, security managers should take a "much more application-specific" approach to security. Because they own corporate laptops, businesses have greater control over how software is managed and updated.
"When you have BYOD, there are multiple operating systems," Forrester's Ryan says. While most are iPhone or Android, there are several different versions of each OS -- especially on Android. "How do you ensure all of those users are doing their updates and patches to their devices?" he asks.
Tools and mobile device management platforms can enforce a company's policies -- for example, locking people out of corporate apps that aren't updated. Robinson advises teaching employees to regularly update their applications, as there may be exploits putting them at risk.
One simple way that employees can improve their device security is by avoiding public chargers, especially USB-based devices. "In many scenarios, you don't know what you're going to get ... something can get pushed to the device without your knowledge," Verizon's Robinson says.
If you see a rogue charger or USB cable lying in an airport or coffee shop, Forrester's Ryan suggests also leaving those alone. "Cybercriminals have started loading malware on these and leaving them around in public places," he says.
Many organizations think their current approach to mobile device security is fine, says Verizon's Robinson. Another finding from Verizon's forthcoming "Mobile Security Index" shows an increase in the number of organizations that say they can spot misuse, which jumped from 79% in 2019 to 83% in 2020.
Organizations are doing more device management, which is good, but they also assume they're good to go -- which is often not the case. "Unless you have active monitoring, you're still going to be at risk, even when you have some form of endpoint management in place," Robinson adds.
Now, only about 44% of enterprises have some type of acceptable use policy as it relates to smartphones. "That's something that's really critical," Robinson continues. It should be part of any policy: Do you want smartphones to be for personal and corporate use, or just corporate? All mobile devices accessing corporate data should be under some form of management.
Many organizations think their current approach to mobile device security is fine, says Verizon's Robinson. Another finding from Verizon's forthcoming "Mobile Security Index" shows an increase in the number of organizations that say they can spot misuse, which jumped from 79% in 2019 to 83% in 2020.
Organizations are doing more device management, which is good, but they also assume they're good to go -- which is often not the case. "Unless you have active monitoring, you're still going to be at risk, even when you have some form of endpoint management in place," Robinson adds.
Now, only about 44% of enterprises have some type of acceptable use policy as it relates to smartphones. "That's something that's really critical," Robinson continues. It should be part of any policy: Do you want smartphones to be for personal and corporate use, or just corporate? All mobile devices accessing corporate data should be under some form of management.
Most organizations support a bring-your-own device (BYOD) protocol in which employees use their personal mobile devices in lieu of corporate-owned ones. But it's a mixed bag: Enterprise-owned devices offer more control over security; however, the business incurs the expense and full liability for them. BYOD puts the burden of buying devices on employees, but it could present a greater risk to the company.
"A bit of a trade-off has to happen, as they're managing an aspect of something that is personally owned by the employee, and they're using it for all kinds of things besides work," says Sean Ryan, a Forrester analyst serving security and risk professionals.
On nights and weekends, for example, employees are more likely to let their guards down and connect to public Wi-Fi or neglect security updates. Sure, some people are diligent about these things, while some "just don't care," Ryan adds.
This attitude can put users at greater risk for phishing, which is a common attack vector for mobile devices, says Terrance Robinson, head of enterprise security solutions at Verizon. Employees are also at risk for data leakage and man-in-the-middle attacks, especially when they hop on public Wi-Fi networks or download apps without first checking requested permissions. Mobile apps are another hot attack vector for smartphones, used in nearly 80% of attacks.
A major challenge in strengthening mobile device security is changing users' perception of it. Brian Egenrieder, chief risk officer at SyncDog, says he sees "negativity toward it, as a whole."
"I think there's just an overwhelming trust, where that trust probably hasn't been deserved just yet, in how your data is protected and how your device is protected," he explains.
Most security professionals have to walk a fine line between securing devices and providing a seamless user experience. "There is this uneasy relationship between trying to make things user-friendly and not add a lot of friction," Ryan says. Mobile security policies should be stringent enough to protect the devices but not cumbersome to employees.
Here, these three security experts share their advice for security managers seeking to improve the security of their employees' mobile devices. Have any tips you don't see here? Feel free to share them in the Comments section, below.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024