Organizations are increasingly finding themselves in a constant tug-of-war on multiple fronts. From battling an array of threats and mitigating vulnerabilities, to managing risks tied to cloud-based environments and third-party vendors.
Despite this, there’s one vector of attack that isn’t getting the attention needed –especially given the post-pandemic world we live in – mobile security. Often regarded as peripheral components within enterprise cybersecurity, mobile devices have evolved to become central to operations, and consequently, become attractive targets for cybercriminals.
Despite this growing threat, many organizations tend to overlook the importance of mobile security in their overall security strategy. Most companies either ignore mobile security or think device management solutions will be sufficient rather than focus on mobile security risk itself, which may be why mobile attacks and mobile malware is one of the fastest-growing malware types.
Here, we’ll guide you through the lurking risks your organization faces, both from within and beyond its walls. Along the way, we’ll spotlight key technologies and solutions you can deploy to bolster your defenses against these persistent mobile threats.
The Mobile Threat Landscape
The pandemic has significantly amplified the usage of mobile devices, both personal devices and those who are employed for remote work. This increase, however, also brings with it a surge in associated security risks. As mobile device usage increases, so have the threats aimed at them. Coupled with the visibility challenges many security teams face, it has become difficult for these teams to determine the exact number of devices connected to their company’s network. This has exacerbated the Shadow IT problem.
Employees may not know the elevated risk they pose by using their own devices on unauthorized networks. For instance, there’s a common misconception that iOS devices are inherently secure, which can cause users to perform even riskier actions on them. There have been numerous apps found on Apple’s App Store that have been designated as malicious and multiple zero-day vulnerabilities targeting iOS apps have been discovered.
While emails are still the primary vector for many attacks, email-based threats can still infect mobile devices and attackers are developing specific phishing techniques targeting mobile-specific apps and systems such as SMS (smishing), WhatsApp, and social media.
It’s clear that mobile security can no longer be put on the backburner. The strategy and effort applied to securing desktops, laptops, and servers must extend to mobile devices. Despite currently existing in a somewhat nebulous middle ground, the importance of mobile security in a comprehensive cybersecurity strategy cannot be overstated.
Organizations should start by directly addressing mobile security threats beyond traditional mobile device management (MDM) tools. These tools manage devices in a network, which can be helpful but don’t directly address more sophisticated threats because their primary function is device management, not device security. Mobile threat defense (MTD) tools are designed to proactively protect mobile endpoints against known attacks and threats by detecting and remediating mobile threats, whether they’re app-based, OS malware, or network-based attacks targeting mobile devices.
Uncovering Stealth Threats in Mobile Security
As organizations grapple with the challenges posed by mobile device security, it’s vital to have a thorough understanding of the specific risks and threats they face.
Software and System-based Vulnerabilities
These risks are much like the ones found on non-mobile devices. They’re software vulnerabilities and exploits that can be found in both operating systems and applications, with cybercriminals continuously seeking out new ways to take advantage of them. Malicious actors are known to try and leverage vulnerabilities within an iOS or Android platform to leverage an outdated app to compromise a system. To be protected from these threats, having a vulnerability management system in place can be effective as well as mandating an auto-update policy for software and system updates.
Malicious apps have been around nearly as long as devices. These apps – if downloaded outside of an app store – often have a higher risk of being malicious even if the app is known to be legitimate. Even app stores are at risk here. While Google and Apple purport to heavily vet their apps, many malicious versions make their way to millions of mobile devices. In some cases, a simple name change is all that’s needed to get back on an app store.
Mobile Device as a Vector
Many attempts to compromise or attack a system or organization come via a mobile device. This can be done via text-based phishing (smishing), deploying malicious ads on legitimate apps, or finding ways to compromise a device via email, social media, or mobile ransomware.
Despite the severity of these threats, many organizations still don’t prioritize mobile device security as they should. There’s often a lack of knowledge on how to secure these devices effectively or a dearth of processes and infrastructure to support robust mobile security. This lack of priority and preparedness creates opportunities for attackers to exploit.
How Organizations Can Secure Their Mobile Devices
Organizations need to implement robust security measures that specifically address mobile security. This can be done via a mix of policies, processes, and key mobile threat defense solutions. This type of solution is different from mobile device management (MDM) and addresses threats directly rather than just managing mobile devices. In looking for an effective MTD solution, organizations should prioritize the following.
- Protection Against Malicious Apps: A comprehensive mobile security strategy should include app vetting capabilities, and protect not just against known malicious apps but risky apps that can potentially lead to compliance issues.
- Network Attack Mitigation: Mobile devices are frequent targets of network attacks so an effective solution should focus on identifying and neutralizing such threats.
- Web/Phishing Protection: Given the prevalence of phishing threats targeting mobile devices, web protection is an essential component of a comprehensive mobile security strategy.
- Ongoing Risk and Threat Mitigation: Attackers move quickly so having a solution that is proactive against potential zero-day threats and newly discovered vulnerabilities can help organizations stay ahead of attackers.
Mobile device security needs to be an essential component of any cybersecurity strategy and leaders should understand that partnering with a vendor will lead to a faster time to cybersecurity and stay on top of threats more effectively than building up an in-house sub-department focused on mobile security.
Authored by: Zakir Hussain, CEO, BD Software Distribution Pvt. Ltd.