Mobile devices are powerful because they are “mobile” – they can move around and interact with many environments and systems.
This strength is also a weakness. As they move, smartphones and tablets can be exposed to more security threats than stationary hardware, such as desktops.
When small businesses welcome the devices onto their networks, they also welcome the added risk of mobile security threats. If not carefully managed, they can put the company’s systems and data in jeopardy.
See the top seven types of mobile threats below and how to prevent them, via the NIST guidelines on mobile security in the enterprise.
Mobile Security Threat #1. User-Managed Devices
Most small businesses have a “bring your own device” policy that allows employees to bring personal smartphones or tablets into the office.
Unfortunately, personal mobile devices are often insecurely configured or improperly maintained.
Vulnerabilities may include:
- Malware infections
- Rooted or jailbroken operating systems
- Apps downloaded from shady, third-party sources
- Unpatched and obsolete software
The best approach to these security threats is to assume all personal mobile devices are insecure.
Tips to manage them on small business networks:
- Restrict or prohibit BYOD devices on the network. Allow access to only low-risk environments, such as guest wifi on an isolated network
- Require a secure sandbox for BYOD devices to perform any company-related business
- Securely configure company-provided devices before deployment (more tips on this below)
- Periodically scan devices and review their configurations
Mobile Security Threat #2. Theft and Loss
Portable technology adds massive convenience to our lives and businesses – but it’s also convenient for thieves.
Smartphones can easily slip into a thief’s pocket. Desktops, servers, and even laptops are a much harder to sneak away.
Also, mobile devices are left everywhere – including in cars, hotel rooms, and restaurants. This creates more opportunities for a device to be stolen than if it were left locked in an office building.
Assume It Will Be Stolen
Start with the assumption that any mobile devices that connect to your network or handle your data will one day reach the hands of a malicious party.
Mobile security tips to mitigate the risk:
- Require authentication to unlock the device
- Automatically lock after five minutes of inactivity
Mobile Security Threat #3. Untrusted Networks
Mobile devices – particularly smartphones – can access the internet in at least two ways:
- Cellular data connection
- Wifi connection to a local network
If a device is owned by an employee, the organization has no control over its cellular data connection.
Without any way to ensure the cellular network is secure, it’s best to consider it untrusted and exposed to man-in-the-middle attacks and other mobile security threats. Any data transmitted on the network is at risk.
Mobile devices that are allowed to leave the office – such as those taken home or on the road – are also exposed to unknown wireless networks. These networks must not be trusted, either.
A few ways to mitigate the risks of access to untrusted networks:
- Require the use of virtual private networks (VPNs) to encrypt data sent on untrusted networks and ensure mutual authentication of client and server
- Disable any network interfaces not necessary for business use (such as an unneeded cellular data connection)
- Prohibit the use of wireless networks that rely on insecure protocols, such as WEP
Mobile Security Threat #4. Insecure Apps
The manufacturers of mobile devices and operating systems make it easy to install applications.
This is at odds with security principles, who see unnecessary applications as unnecessary risks. Each is a potential avenue for malicious actors to compromise a device and the resources it can access.
As with the above topics, assume third-party mobile applications cannot be trusted.
Security practices for handing mobile apps:
- Prohibit the installation of third-party apps
- Practice application whitelisting – or, more simply, maintain a list of allowed applications
- Grant only the necessary permissions to applications
- Create a secure sandbox on the device to handle company resources and data
Users can also access web-based applications through web browsers. Yet again, you should assume these applications are unsafe.
Security tips to handle browser-based apps:
- Restrict browser access on the device
- On the business network, force mobile traffic through secure gateways, such as AccessEnforcer, to assess URLs before connections are allowed
- Require the use of a separate browser inside a secure sandbox
Mobile Security Threat #5. Unsafe Systems
Mobile devices have thousands of uses – many of which require connecting to another system, such as by:
- Tethering two mobile devices together so they can share a network connection
- Plugging a mobile device into a workstation to serve as data storage
- Connecting with a remote service to back up or sync the device’s data
Even plugging a device into a charging station exposes it to another system.
Many of these systems – whether the workstations, mobile devices, or other services – are not under the organization’s control.
That means (you guessed it) you should assume they are a security threat and will expose the organization’s data to an insecure environment.
Steps you can take:
- Restrict the systems to which a mobile device can connect
- Add access controls to the organization’s desktops, laptops, and servers to prevent connection with a mobile device
- At the gateway, block the domains and IPs of any services you do not want accessed by a mobile device
- Instruct users to not use untrusted charging stations or other services
Mobile Security Threat #6. Untrusted Content
Mobile devices can interface with the real-world in a number of ways. One of them is with QR codes.
By using a device’s camera, a user can scan a QR code to trigger an action on the device. Usually a web browser opens and navigates to the encoded URL.
QR codes are easy to make and can point to any given URL, whether benign or malicious. Since they are rarely used in small businesses, you can take steps to limit or prohibit their use:
- Require the QR codes’ content (i.e. the URL) to be displayed before executing
- At the gateway, validate URLs before allowing connections
- Restrict or prohibit the use of the device’s camera
Mobile Security Threat #7. Location Services (GPS)
Most mobile devices include GPS, which can share the device’s location to allowed services.
This can be a boon for security. GPS can be used to deploy location-based security policies, which can apply different security controls based on whether the device is in the office or another location.
If accessible to would-be attackers, GPS can also be a powerful tool, indicating the location of the device and the behavior of its owner – such as the people and systems the person can physically access.
Steps you can take:
- Disable location services
- Limit the use of location services to a set list of apps, or restrict specific apps such as those used for social networking or photo publishing
- Prohibit the use of location services for particular apps
- Train users to disable GPS when in sensitive locations