U.S. businesses take a lot of risk when it comes to how mobile devices are used in their day-to-day operations.
In 2022, only 15 percent of small and medium businesses provided smartphones to employees according to research by Maximizing Mobiles Value. Another 40 percent expected employees to use their personal phones for business.
For that 40 percent, we suggest that is penny wise and pound foolish without the proper cybersecurity safeguards in place.
In this article we will focus on the risks to companies associated with mobile devices and steps you can take to protect your company and your information.
Make smartphones really smart to protect your company’s sensitive data.
The challenge for small and medium businesses is significant. On the one hand, most companies can’t do without smartphones, tablets and laptops. On the other hand, sophisticated cybercriminals are finding more and more ways to breach digital firewalls and steal valuable information about the company, its customers and vendors.
While there is no one silver bullet when it comes to data security, we know that better managing access and authentication of users can have a significant impact in securing mobile devices.
There are five areas of access and authentication that can be improved.
1. Weak password policies impact mobile device security
We all do it. We all use passwords that are easy for a hacker to guess. Or worse, we use the same password, easy or otherwise, across multiple accounts.
There are many risks with weak passwords. At the top of the list is unauthorized access to mobile devices and all the scrumptious data thieves seek. It would be interesting to know how many people who read this article use their birthday or, worse, “123456” as a password. They might as well put a sticker on their phone that says, “steal me.”
When employees reuse passwords across multiple accounts, a breach in one platform can lead to a cascade of security breaches. It’s not uncommon that an employee will use the same password for their corporate email account as they do for a personal social media profile.
The severity of these cyberattacks becomes glaringly evident when you examine real-world breaches. In one of the largest breaches ever, more than 142 million individuals in the Equifax system had their personal information stolen due to a vulnerability that exploited weak password practices. Equifax failed to update a security certificate, which could have been a minor issue except for a single, easily guessable password that went unchanged for months.
2. Lack of Multi-Factor Authentication (MFA)
Companies serious about data security have implemented multi-factor authentication, sometimes called two-factor authentication. In short, MFA is a second step in the authentication process after a password that creates a more robust and secure process to get access to important personal or company information.
MFA can take many forms, from a system-generated PIN to a fingerprint or face recognition. MFA’s requirement for a second layer of information has several key benefits:
- Additional Protection Beyond a Password. Even if a cyber thief gets your password they will have to go through another layer of work to access your information.
- Protects Stolen Devices. It helps prevent unauthorized access because the thief would need the device and second authentication factor to get access.
- Enhanced Compliance. MFA is often a requirement for compliance with data regulations such as HIPAA.
While some companies resist MFA because of the perceived complexity, user pushback or cost considerations, there are some significant security risks if it is not implemented. Some of the most common security threats are increased vulnerability to cyber theft, loss of personal data, financial loss, productivity loss and, not the least important, a hit on your company’s reputation if your data is stolen.
3. Use of Biometric Authentication
Biometric authentication methods such as fingerprint and facial recognition address many of the limitations of PINs and passwords.
Biometric data is unique to each individual, which makes it exceedingly difficult for attackers to replicate or impersonate. This approach is also much more user-friendly and convenient. Users can unlock their devices or access sensitive information with a simple touch or glance, eliminating the need to remember passwords and PINs.
Biometric authentication has had quite a few high profile successes. Various financial institutions and payment platforms have integrated it as a part of online transactions. In healthcare, biometric authentication ensures only authorized personnel can access patients’ medical records.
4. Neglecting Physical Security
The significance of physical security measures for mobile phones and other mobile devices cannot be overstated. Physical security measures play a pivotal role in preventing unauthorized access in the event of loss or theft.
Device locks and passcodes are a fundamental practice for most businesses. Adoption of biometric authentication is expanding as most modern mobile devices feature methods like fingerprint scanners or facial recognition. And many businesses have the capability to wipe mobile devices remotely to protect data.
There are a variety of effective tools to help companies physically secure mobile devices:
- Device Locks
- Biometric Authentication
- Secure Storage
- Anti-Theft Cables
- GPS Tracking
- Remote Wipe
It is in your company’s best interest to closely monitor where and how devices devoted to the business are being used.
5. Downloads from Unverified Sources
Unverified sources for mobile apps typically refer to places other than official app stores, where users can download apps without undergoing the strict vetting and review processes that official stores, like the Apple Store or Google Play Store, employ.
Some common examples of unverified sources for apps are websites, third-party app stores, file-sharing platforms, phishing attacks via email attachments and links, social media and forums and unofficial app markets.
The risks are significant because so many businesses depend on the personal cell phone and other mobile devices of their employees. Here are several:
- Malware and Spyware. Unverified sources often host malicious apps which can infect devices and compromise data security.
- Data Theft. Malicious apps can access sensitive data, such as contacts, messages and passwords, and transfer this information to cyber criminals.
- Privacy Invasion. Some apps collect excessive user data without consent, violating privacy rights and potentially exposing sensitive personal information.
- Device Vulnerabilities. These apps may contain vulnerabilities that can be exploited by attackers to gain unauthorized access to devices.
- Financial Fraud. Fake or rogue apps can deceive users into making fraudulent purchases or disclosing financial information.
Restricting app installations to trusted sources like official app stores offers numerous benefits:
- Verified Apps. Official app stores vet and verify apps before listing them, reducing the risk of malware and malicious mobile applications invading your business information.
- Regular Updates. Apps from official stores will receive regular security updates and patches to address known vulnerabilities.
- Privacy Protections. Trusted sources enforce privacy policies, reducing the likelihood of apps collecting excessive private information from users.
- Use Reviews and Ratings. Users can rely on reviews and ratings in official app stores to gauge an app’s trustworthiness and quality.
- Legal Protections. Using trusted sources ensures compliance with app store policies and legal regulations.
- Customer Support. Trust app stores offer support in the event of app-related issues.
By restricting app installations to trusted sources, organizations can significantly mitigate the risks associated with malicious apps and enhance mobile device security and data privacy.
6. Wi-Fi Hacking of Data is a Growing Problem
Data security issues related to access and authentication problems in public Wi-Fi networks can significantly impact the confidentiality and integrity of your company’s data. Here are several concerns:
- Weak or Default Passwords. Many Wi-Fi hotspots and networks still use default usernames and passwords, which are often easy to guess or publicly available. Weak or unchanged credentials provide an open invitation to attackers, allowing them to easily gain unauthorized access to your network and sensitive data.
- Unauthorized Access. Inadequate access control measures can lead to unauthorized users gaining entry to your Wi-Fi network. This can result from weak or shared passwords, improper authentication methods or the absence of access restrictions.
- Insufficient Encryption. Weak encryption can expose data to eavesdropping and interception, allowing attackers to easily capture and decipher data transmitted over the Wi-Fi network.
- Rogue Access Points. Unauthorized access points or rogue hotspots set up by attackers masquerading as service providers can lure unsuspecting users, leading to data being intercepted.
- Shared Credentials. In some cases, multiple users share a single set of credentials for Wi-Fi access. This lack of individual authentication can make it challenging to trace actions to specific users and can lead to unauthorized access if credentials are shared or compromised.
- Failure to Rotate Credentials. Regularly changing Wi-Fi passwords and access credentials is essential for security.
It is critical for your company to implement strong measures such as encryption, enforcing complex and unique passwords, regularly changing passwords, implementing MFA and keeping firmware up to date.
Utilize best practices for access control and authentication on mobile devices.
Mobile device management is crucial for today’s businesses, whether your company uses Apple iPhone/IOS or Android phones and devices. Many of the tips and security solutions in this article are relatively easy for a company to require of its employees who are using mobile devices for business purposes.
As this article has underscored, access control and authentication stand as the first line of defense for mobile data security against unauthorized access and data breaches of sensitive company information. Weak passwords, inadequate authentication measures or neglecting physical security can leave mobile devices and their data vulnerable to a host of threats.
To combat these mobile security threats, companies must step up to this growing threat with security features such as robust password security policies, multi-factor authentication, biometric safeguards and physical security measures. The importance of these measures cannot be overstated.