Mobile devices are powerful because they are “mobile” – they can move around and interact with many environments and systems.
This strength is also a weakness. As they move, smartphones and tablets can be exposed to more security threats than stationary hardware, such as desktops.
When small businesses welcome the devices onto their networks, they also welcome the added risk of mobile security threats. If not carefully managed, they can put the company’s systems and data in jeopardy.
See the top seven types of mobile threats below and how to prevent them, via the NIST guidelines on mobile security in the enterprise.
Most small businesses have a “bring your own device” policy that allows employees to bring personal smartphones or tablets into the office.
Unfortunately, personal mobile devices are often insecurely configured or improperly maintained.
Vulnerabilities may include:
The best approach to these security threats is to assume all personal mobile devices are insecure.
Tips to manage them on small business networks:
Portable technology adds massive convenience to our lives and businesses – but it’s also convenient for thieves.
Smartphones can easily slip into a thief’s pocket. Desktops, servers, and even laptops are a much harder to sneak away.
Also, mobile devices are left everywhere – including in cars, hotel rooms, and restaurants. This creates more opportunities for a device to be stolen than if it were left locked in an office building.
Assume It Will Be Stolen
Start with the assumption that any mobile devices that connect to your network or handle your data will one day reach the hands of a malicious party.
Mobile security tips to mitigate the risk:
Mobile devices – particularly smartphones – can access the internet in at least two ways:
If a device is owned by an employee, the organization has no control over its cellular data connection.
Without any way to ensure the cellular network is secure, it’s best to consider it untrusted and exposed to man-in-the-middle attacks and other mobile security threats. Any data transmitted on the network is at risk.
Mobile devices that are allowed to leave the office – such as those taken home or on the road – are also exposed to unknown wireless networks. These networks must not be trusted, either.
A few ways to mitigate the risks of access to untrusted networks:
The manufacturers of mobile devices and operating systems make it easy to install applications.
This is at odds with security principles, who see unnecessary applications as unnecessary risks. Each is a potential avenue for malicious actors to compromise a device and the resources it can access.
As with the above topics, assume third-party mobile applications cannot be trusted.
Security practices for handing mobile apps:
Users can also access web-based applications through web browsers. Yet again, you should assume these applications are unsafe.
Security tips to handle browser-based apps:
Mobile devices have thousands of uses – many of which require connecting to another system, such as by:
Even plugging a device into a charging station exposes it to another system.
Many of these systems – whether the workstations, mobile devices, or other services – are not under the organization’s control.
That means (you guessed it) you should assume they are a security threat and will expose the organization’s data to an insecure environment.
Steps you can take:
Mobile devices can interface with the real-world in a number of ways. One of them is with QR codes.
By using a device’s camera, a user can scan a QR code to trigger an action on the device. Usually a web browser opens and navigates to the encoded URL.
QR codes are easy to make and can point to any given URL, whether benign or malicious. Since they are rarely used in small businesses, you can take steps to limit or prohibit their use:
Most mobile devices include GPS, which can share the device’s location to allowed services.
This can be a boon for security. GPS can be used to deploy location-based security policies, which can apply different security controls based on whether the device is in the office or another location.
If accessible to would-be attackers, GPS can also be a powerful tool, indicating the location of the device and the behavior of its owner – such as the people and systems the person can physically access.
Steps you can take:
Mobile Malware: 4 Biggest Myths and How to Stay Safe