SecuritySpecials

Mobile Security: Do you have a future-proof strategy?

By Anshuman Sharma

Mobile devices have blurred the way we think about work and leisure. With their increasing computing power, connectivity capabilities and overall functionality, our phones play an equally vital role as our desktop computers and laptops, owing to more convenience, access to content, less restrictions on control, and availability of WI-FI everywhere.

 

Even though mobile device breaches tend to secure a lesser share of headlines in the news, the gravitas of mobile security in the current enterprise landscape cannot be undermined. According to the Mobile Security Index 2023 report, 90% of successful cyberattacks and as many as 70% of successful data breaches originate at endpoint devices. From unintentional data leakage through unsuspecting mobile apps to free but unsecured Wi-Fi networks, mobile devices are now more susceptible to cyber security threats than other computing devices.

 

Humans are the most lucrative entry-point for attackers to gain access

Security fatigue, complacency and a lack of understanding of potential consequences have often contributed to employees emerging as the organization’s weakest and most vulnerable point for cyber attacks. According to Forrester, IoT devices, employee-owned mobile devices followed by company-owned mobile devices were the three most common targets in external attacks. Often, unsuspecting employees could become victims of attackers through multiple erroneous steps such as clicking phishing links, downloading malware, sharing personal information with scammers, or sharing passwords with untrustworthy actors. The Mobile Security Report also cites that 81% of organizations faced malware, phishing, and password attacks in the year 2022 which were mainly targeted at users.

 

Similarly, fatigue can also set in within the workforce due to multiple security steps and myriad passwords to remember. The risks of security fatigue can be seen in multifactor authentication (MFA) spamming attacks. This particularly occurs when a perpetrator bombards a user who is accustomed to MFA with prompts in the hope that the person will click “accept” to make the annoyance disappear. A breach of Virtual Private Network (VPN) access is another way users succumb to security fatigue.

 

The mobile threat landscape has evolved in 2023, with attack vectors relying on one or a mix of multiple ways to target organisations through mobile devices. Prominent among them is mobile phishing since it is easier to reach a mobile device through unsuspecting channels that are not protected from phishing, such as applications. The said route is also taken for malware and malicious URLs that can be inserted via email, text, social or instant messaging apps. 2023 has also seen rogue Wi-Fi hotspots and counterfeit apps come into play as mobile device penetration into handling business data rises. Employees are required not only to recognize and avoid social engineering tactics used by threat actors but also to ensure the security of third-party apps used for business purposes.

 

Striking the right balance between freedom and security

However, in doing so, enterprises need to strike the right balance between security, user experience and freedom of use. To begin with, a zero-trust approach is emerging as a critical factor to help strengthen a company’s security policy. Under a zero-trust approach, analytics-driven identity access management solutions and AI-driven threat detection solutions can automate determining when to grant a specific user access to certain applications while helping organisations detect anomalies, suspicious user behaviour and network activity. Thus, employees need not deal with demanding authentication requirements, get unintentionally blocked from systems or give unauthorized access to sensitive data.

 

Mobile Threat Defense (MTD) solutions can be applied to devices, networks and applications as sophisticated and dynamic protection and be used to proactively identify and mitigate mobile threats. This will enable organizations to safely adopt “Bring Your Own Device” policy while MTD ensures mobile security of sensitive business data. Alternative device ownership/control models such as Choose Your Own Device (CYOD), Company Owned Personally Enabled (COPE) or Company Owned Business Only (COBO) solutions may also enable companies to offer employees more freedom, with fewer security risks.

 

Businesses and security leaders must also ensure regular software updates and implement modern MFA methods to safeguard sensitive data on mobile devices. Recently, cyberattacks, especially on mobile devices, have forced application and software companies to issue updates that have added layers of MFA and security. By maintaining open lines of communication between IT departments and other employees, security policies can be tailored to protect and safeguard – without getting in the way.

 

To find the right balance, it’s important to cultivate a security-aware culture. Mobile devices act as vital entry points to a company’s key systems, data and cloud-based resources. As such, they must be protected effectively and prevented from becoming the Achilles heel of an organization by leveraging solutions that provide robust security while ensuring seamless user experience.  Regular training sessions can educate employees on the importance of security measures and best practices for mobile usage, including the use of third-party applications, VPN, unknown Wi-Fi hotspots and MFA, among other things. Other diverse measures such as adopting multi-layered security protocols and using scalable, cloud-native solutions can go a long way in setting the course for a resilient and future-forward security strategy.

 

(The author is Director – VTRAC, Cybersecurity Consulting Services, Verizon Business, and the views expressed in this article are his own)