Your Biggest Cybersecurity Weakness Is Your Phone

Your Biggest Cybersecurity Weakness Is Your Phone

cyber75

 

Mobile devices are one of the weakest links in corporate security. Executives are wrestling with managing a proliferation of devices, protecting data, securing networks, and training employees to take security seriously. In our Tech Pro Research survey of chief information officers, technology executives, and IT employees, 45% of respondents saw mobile devices as the weak spot in their company’s defenses. (Employee data was cited by 37%, followed by wireless access of networks at 34% and bring-your-own-device efforts at 29%.)

Meanwhile, the potential for mobile attacks continues to expand. In July comScore reported that half of all digital time was spent on smartphone apps, and 68% percent of time was spent on a mobile device. If mobile security isn’t a problem for your company yet, it will be.

Consider the following recent events:

  • A flaw called “Quadrooter” left more than 900 million Android devices vulnerable to attacks. The code was published online. Google has since patched Android.
  • Pokémon Go became a global phenomenon, but people in regions without the game downloaded it from unauthorized marketplaces, exposing their devices to malicious attacks.
  • Researchers at Binghamton University found that wearable devices and smartwatches can give away PINs and passwords through an algorithm that has 80% accuracy on the first try and 90% after three attempts.

Securing mobile devices is tricky. Android is a fragmented mobile operating system. Security researchers are anticipating more attacks on Apple’s iOS. Employees lose their devices and can be lax with security compliance. Toss in people bringing their own unsupported devices to work and you can see why security executives are stressed.

Now for the good news: These challenges can be overcome. Our previous survey work at Tech Pro Research found that only 12% of companies have been hit by a mobile security breach. There’s still time for businesses to improve their mobile security practices. Yes, mobile devices can be a problem, but like most things in the security world, the issue isn’t necessarily the smartphone, tablet, or laptop. The problem is us. The solution is following security best practices, protecting corporate data, and educating humans — the real weakest link.

In a July report on mobile security, we noted that mobile devices are breached largely because people lose them or don’t practice good security habits (including not applying the latest security updates) — not because of inherently weak security in devices.

Simply put, most corporate mobile security incidents are due to humans failing to follow basic security procedures. Given that reality, mobile security needs to be part of the broader policy and procedure mix.

Tech Pro Research analyst Jack Wallen outlines the following recommendations to shore up security overall and fortify corporate mobile defenses. These recommendations are based on best practices as well as responses to our surveys.

  • Educate employees and upper management. People need to learn how their actions can have consequences. Sessions on protecting corporate data and thwarting social engineering efforts could be useful. Educating upper management is a different task for information technology executives. The education job here is to make sure upper management know how dire security breaches can become. Employees traveling abroad can also become easy targets without security know-how.
  • Continue to invest in systems to encrypt data, protect networks and various endpoints — internet of things sensors, point of sale terminals, mobile devices, etc.
  • Audit networks, retool and continually update security policies, and migrate systems to a more secure provider. These efforts have to incorporate mobile risks from devices currently in the workplace today, such as smartphones, as well as devices that will be soon, such as wearables.
  • Hire a digital forensics specialist. Of companies with 1,000 employees or more, 41% percent have a digital forensics expert on staff. These specialists are critical to investigating security issues on all fronts, including mobile. Smaller companies or companies with fewer resources to devote to forensics may find themselves to be easier targets for cyberattacks.

Cybersecurity also involves a heavy dose of individual responsibility. Employees and consumers should follow these best practices, from security firm Kaspersky and TechRepublic, to secure their devices.

  • Set a lock and PIN on your phone.
  • Turn on your phone’s auto-lock.
  • Use container technologies such Samsung’s Knox, which adds a layer of security to work items and segments them away from personal items.
  • Back up information to cloud services, and store as little as possible on the device.
  • Use basic security common sense, such as ignoring spam email and avoiding downloads that don’t come from an approved app marketplace (Apple’s App Store, Google Play, or a company-specific area).
  • Keep devices close to you and within sight at all times.
  • Use two-factor authentication whenever possible.
  • If device is lost or stolen, notify your employer right away for remote wiping procedures. For a personal device, Android and Apple’s iOS offer remote wiping features.
  • Avoid unsecure Wi-Fi connections.
  • Keep Bluetooth out of discovery mode when not in use.
  • Encrypt corporate data using the security software your company provides.
  • Connect your smartphone to company networks via VPN connections.

Mobile security is likely to become the next frontier for corporate security executives as exploits and hacks become more creative. Making mobile a regular part of your company’s broader security policy and procedure framework will be critical.

[Harvard Business Review]

September 25, 2016 / by / in , , , , , , , ,

Leave a Reply

Show Buttons
Hide Buttons

IMPORTANT MESSAGE: Scooblrinc.com is a website owned and operated by Scooblr, Inc. By accessing this website and any pages thereof, you agree to be bound by the Terms of Use and Privacy Policy, as amended from time to time. Scooblr, Inc. does not verify or assure that information provided by any company offering services is accurate or complete or that the valuation is appropriate. Neither Scooblr nor any of its directors, officers, employees, representatives, affiliates or agents shall have any liability whatsoever arising, for any error or incompleteness of fact or opinion in, or lack of care in the preparation or publication, of the materials posted on this website. Scooblr does not give advice, provide analysis or recommendations regarding any offering, service posted on the website. The information on this website does not constitute an offer of, or the solicitation of an offer to buy or subscribe for, any services to any person in any jurisdiction to whom or in which such offer or solicitation is unlawful.