In today’s growing remote working environment, and with the rapid adoption of technology to help businesses do that successfully, mobile device security is vital to keeping personal information and sensitive company data private. In this article, we’ll discuss what mobile device security is, its benefits, common mobile security threats, as well as mobile device management solutions, and best mobile security practices for small businesses.
What is mobile device security and why it’s importantMobile device security is the suite of measures you take to protect the information both stored and sent using devices such as smartphones, laptops, tablets Mobile device security is most efficiently handled using mobile device management (MDM) software, which is a necessary component of a broader Enterprise Mobility Management (EMM) solution (we’ll cover this in more detail below). The number of businesses adopting mobile solutions is on the rise, and with more employers allowing their workforce to work remotely, this trend will only continue. It’s reported that over 67% of small businesses view mobile solutions as vital to their success (SMB Group, 2017). In fact, nearly 83% are already using mobile applications of some variety inside of their businesses, with over half of their employees using at least one mobile device for business purposes. With increased workplace mobility and an increased number of mobile devices within a company, the security challenges presented to small businesses are increasing as well. Mobile devices are easy targets for attackers for a couple of reasons. First, 97% of all mobile devices operate on one of two operating systems, including smartphones, tablets, as well as wearable and smart devices. This means the cost/benefit for hackers is high as they can concentrate their exploit development efforts on only one or two general systems, and if successful in finding a vulnerability, they can potentially get access to millions of devices. Second, many users, including SMBs, don’t have effective mobile security solutions in place, making their employees’ mobile devices an easy point-of-entry for malware attacks, phishing attacks, and data leaks. While shoring up your mobile device security will require additional investment in your IT, incorporating a comprehensive solution into your business is a critical component of reducing the risk of the loss or theft of sensitive data. Whether you have an office-based or dispersed workforce, with a mobile security plan in place, you can rest assured you’re taking the necessary steps to protect your employees, your company, and your most valuable assets from outside attacks.
The Benefits of Mobile Device SecurityThere are numerous benefits to ramping up mobile device security (MDS). The following are just a few examples of how mobile security measures can help you mitigate risks and protect company assets from malicious outsider attacks. The ones listed below can be easily implemented using mobile device management software.
Policy Enforcement and ComplianceOne of the biggest benefits of implementing more robust mobile security solutions into your business is it allows you to enforce stricter policy compliance, especially if you allow employees to use personal mobile devices for work. A clear mobile policy allows a uniform understanding of MDS practices across your entire enterprise, including what devices can be used, permissible operating systems, what applications and data the company has access to (especially if it’s a personal device), the permissions granted to your company’s IT department, password requirements, and so forth.
Data Backup and RecoveryAnother benefit of implementing mobile security systems is the opportunity it provides to shore up gaps in your data backup and recovery process, especially in light of a malicious attack. On a basic level, you can think of data being separated into two categories on mobile devices: personal and enterprise. These distinctions should be clearly outlined in your policies so your employees know what both your and their responsibilities do and don’t include when it comes to your company’s mobile security policies. For example, you can mandate certain backup protocols for enterprise data stored on their personal phones, but you may not be able to mandate full device backups, which would include some personal information you wouldn’t want to be liable for protecting. On enterprise devices, you can mandate certain backup protocols. On personal devices, you can recommend backup procedures. If you’re using MDM software, you can schedule periodic backups of company data rather simply. Did an employee misplace a device, have it stolen, or get terminated? With a mobile security solution in place, you can remotely wipe all company data from their device.
Device registrationDo you want to know what devices are logged onto your network or remotely accessing company data? You should if you want to be able to maintain access controls and trace any breaches that occur via mobile devices. When bolstering your company’s mobile device security, require employees to register any device they intend to use to access company resources or data. Doing so enables you to know what smartphones, tablets, and other devices are on your network, giving you the upper-hand in spotting any outliers.
Bring your own device (BYOD) supportThere are numerous advantages to allowing employees to bring their own devices to use for work. Not only does it reduce your IT infrastructure costs, but it also enables employees to work remotely without the hassle of learning a new device and having to remember to bring it along when they’re working out of the office. To that last point, BYOD policies have actually been shown to increase employee productivity and satisfaction. However, in order to implement this approach, it’s vital to employ a mobile security solution that incorporates BYOD support to ensure you’re not drastically increasing your attack surface by allowing employees to use their devices for work. This not only includes using mobile management software to register, track, and manage devices, it also means implementing other practices to mitigate security risks such as single sign-on (SSO), VPNs, and more.
Mobile Security ThreatsBy now you understand some of the benefits attached to bolstering mobile device security, but what are some of the threats involved if you don’t shore up mobile security gaps? Let’s look at a few of the most common mobile security threats in today’s workplace.
Data leaksNot only is private data one of your company’s greatest assets, but it’s also the target of malicious outsider attacks. Poorly protected devices and lax mobile security policies make your company data privy to hackers. According to IBM, the average cost of a corporate data breach is $3.86 million and takes roughly 280 days to identify and contain. Even just one data breach could spell financial ruin for your business! Your data is most vulnerable to leaks from current or past employees. Hackers might perform sophisticated social engineering attacks, targeting current employees in an attempt to retrieve even the smallest piece of information that can provide access to company resources. In these situations, hackers might impersonate reputable vendors, appeal to an employee’s personal interests, or even visit your place of business in-person, again, all in an attempt to acquire just enough information to access company data. Other times, employees might accidentally disclose company information to outsiders (most common in the healthcare industry), or you might have a disgruntled ex-employee who sells or trades sensitive company data post-termination to malicious third-parties.
Unsecure Wi-Fi and public hotspotsAnother vulnerability in mobile device security involves internet connectivity. Without stringent rules and policies in place, your company information is at-risk when your employees connect online using an unsecured Wi-Fi network or public hotspot while working remotely. It’s estimated there will be over 542 million public hotspots by 2021 (Statista, 2020). And Pradeo reports that over 91% of mobile devices used for business have already been connected at least once to unsecured Wi-Fi networks, nearly 3% of them being the direct target of an attack (Pradeo Report, 2019).
Phishing attacks (“SMiShing”)Phishing attacks are no longer limited to your inbox and desktop computers. While your mobile device is still prone to threats from your inbox, attackers are evolving with the times and targeting mobile devices using SMS-based phishing schemes as well. Phishing attempts that use SMS messaging, as well as social and gaming apps, are referred to as “SMiShing” attacks and accounts for 81% of phishing attempts today (Pradeo Report, 2019). As a relatively new phenomenon, this is a significant threat as uneducated employees are more likely to fall victim to a SMiShing attack.
Mobile Applications – Spyware/StalkerwareProbably one of the greatest threats to security lies in the applications your employees download onto their mobile devices. Not only do some of these applications access and share more data than necessary, but some of them are also riddled with vulnerabilities. While free applications are enticing to frugal users, they embed an average of six marketing libraries onto devices (Praedo Report, 2019, p.6). These applications access user data and sell it to companies, turning them into a money-making machine for developers through advertisements. When an employee indiscriminately agrees to the “terms and conditions” while using an application, they could be permitting access to sensitive company data on their mobile device as well. Some of these free applications might even be malicious in nature, including mimicking popular messaging apps. And while 89% of these applications are deleted from app stores, one report discovered them still installed on active devices six months after they were deleted from the store. Attackers also take advantage of the 61% of applications with code vulnerabilities, leading to data leakage or DoS and man-in-the-middle attacks. Regularly updating your mobile device’s software is an effective way to patch security holes and prevent malware attacks, though it was reported that almost half of all Android users didn’t have the latest software installed on their mobile devices, leaving over 846 million devices exposed to malware through known vulnerabilities.
Bring Your Own Devices (BYOD)Bring your own device (BYOD), when employees are allowed to use their personal mobile devices for work, is a popular practice for small businesses. As mentioned before, it not only saves the company money, but it aids in employee mobility and satisfaction. Unfortunately, it’s a security risk well. As opposed to company-owned mobile devices where you can exercise greater control, the vulnerabilities to your company’s data are greater with BYOD policies. Businesses tend to grant users generous permissions on their BYOD, especially if they’re using them for work-related tasks. But without effective MDS security policies or an MDM solution in place, one of the greatest problems with BYOD practices is that employers cannot mandate employees to update their personal mobile devices with software and application updates. Again, this creates an opportunity for malicious attackers to access company data through code vulnerabilities in applications, unsecured Wi-Fi connections, and the like.
Mobile Device Management SolutionsThe threats to mobile device security are significant, but thankfully, these risks can easily be addressed by implementing a Mobile Device Management (MDM) solution into your business’ IT infrastructure. Let’s discuss what MDM is and what to look for when identifying a MDM solution. Simply put, mobile device management is security software that enables you to monitor and manage mobile devices across your network. This software gives you better control over laptops, smartphones, tablets, and other devices used in your business. And because 67% of businesses believe mobile solutions are an essential element of their company’s success, adopting effective mobile security software is vital to maintaining forward progress. Here are some features to look for when identifying an MDM solution for your business. Most all of these features can be found in software such as Hexnode, Microsoft Enterprise Mobility, and IBM Security Maas360:
- Remote configuration and monitoring – your software should be able to both monitor and configure mobile devices remotely. This allows you to easily register new devices, push software updates, force application updates over-the-air, and observe which devices are accessing your network at all times.
- Security policies and enforcement – your MDM software should also be able to enforce your mobile security policies. This includes policies related to data storage, authentication/authorization, and remote content access, to name a few.
- Passcode/remote wipe – if your employee’s mobile device is lost or stolen, your MDM software should enable a feature to allow you to remotely wipe company data from the device. In some cases, you will have permissions to erase personal data as well, which might later be used in a social engineering attack.
- Data restrictions – many MDM software suites allow you to establish a geofence and restrict data and application accessibility based on the physical location of a mobile device. You may choose to disable specific applications on enterprise mobile devices while users are off-site, for example.
- Logging/reporting – most MDM solutions automatically log and create a report indicating which devices are on your network and at what times. This is typically done for compliance purposes, but it’s also an effective tool for identifying where vulnerabilities existed in the case of a security breach.
- Scalability – your software needs to easily accommodate new users and devices, not only as your business grows, but as the mobile device market evolves as well. An MDM software should make device registration, configuration, and policy enforcement as simple as possible.
9 Mobile Security Best Practices for Small BusinessesIt’s difficult to strengthen mobile device security inside of your business without using MDM software. The following are nine of the best mobile security practices for small businesses. Bear in mind, many of these practices cannot be implemented without utilizing MDM software.
1) Create a mobile device policyOne of the best security practices you can implement is the creation of a mobile device policy. A mobile device policy is the set of procedures and requirements your staff and employees must follow when using mobile technology for work or while accessing the company’s network. Mobile device policies can include requirements such as mandatory device registration, procedures for reporting lost or stolen devices, a list of permitted or banned applications, and more. While you do not need MDM software to create a mobile device policy, it is almost impossible to enforce your policies without it.
2) Set password requirementsCompromised passwords are responsible for over 80% of data breaches, and with 48% of employees using the same passwords for both personal and work devices, it puts your company’s data at even greater risk of exposure. Establishing strict password requirements not only for mobile devices, but all devices on your network, is one of the best things you can do to begin strengthening mobile security. Require employees to create strong and unique passwords for each of their accounts. Passwords should be a minimum of 8-characters in length and use a combination of letters, numbers, and symbols. Avoid common words and require multi-factor authentication when possible. Single Sign On (SSO) solutions are also worth considering as a way to simplify password management for your end user employees (they only need to remember one password) while maintaining strong password security.
3) Incorporate biometric featuresWhile it’s important to have strong passwords to limit who has accessibility to information on mobile devices, add an extra layer to your mobile security by requiring the use of biometric features. These features can drastically limit who has access to data. The majority of mobile devices on the market have at least one biometric feature built-in. These include facial, voice, fingerprint, and signature recognition. In your mobile device policy, you can even mandate the use of biometric features as a part of your mobile security practices.
4) Block known malicious appsAs mentioned before, mobile applications pose one of the greater security risks to your organization. Malicious applications are responsible for 24% of fraud attacks according to a Netmotion Software report, and while they may be deleted from Apple or Google’s app store, they can remain on devices until they’re manually removed by the user. Using MDM software, you can proactively block known malicious applications on mobile devices across your network. Additionally, when security patches become available for known vulnerabilities in applications, you can automatically push those updates to the mobile devices registered with your enterprise.
5) Encrypt ALL mobile devicesAnother great mobile security practice for small businesses is to encrypt all of the mobile devices that access your network. Encryption converts all of the stored data on a device into something only accessible with a specific authentication key, usually a password. You can also require employees to use a VPN (an encrypted network connection) when accessing your company’s network remotely. These encrypted connections ensure data is safely and securely transmitted and also prevent unauthorized users from eavesdropping.
6) No public Wi-Fi accessibilityWhile the availability of public hotspots is increasing due to the growth in remote work, it does not mean they are getting more secure. Without exception, all public Wi-Fi networks are prone to being compromised by hackers. Because of this, one of the best mobile security practices to incorporate into your mobile device policy is a ban on the use of public Wi-Fi networks. If your employees need to connect to Wi-Fi to conduct business on their mobile devices, it needs to be a secure connection to avoid malicious attacks.
7) Enable remote lock/data wipeEnabling remote lock and data wipe on mobile devices is another beneficial security practice. In the case of loss or theft, using MDM software, you can lock the missing mobile device. And if necessary, you can erase the data from stolen mobile devices so it’s not compromised.
8) Employee educationOne of the best mobile security practices is continued employee education. Many data leaks are preventable and your best defense lies with those on the front lines. Require employees to participate in cybersecurity training several times per year. Review your security policies, mobile device policies, password requirements, network accessibility procedures, the latest phishing attacks, malicious applications, and more. The effectiveness of your mobile security isn’t just about the tools you have, it’s about how well you can educate your employees too.
9) Budget for MDM solutionsMobile devices are favored entry-points for attackers because the attention businesses give to mobile security is lackluster at best. And with more companies employing a remote workforce, investing in strengthening your company’s mobile device security is vital. Budget generously for mobile device management solutions. Remember, the average cost of a data breach is $3.86 million. The proactive investment in both MDM software and cyber liability insurance is significantly less compared to the expenses associated with a security attack.
SummaryIn conclusion, mobile device security isn’t something you can afford to ignore in today’s workplace, and with the software tools available in today’s market, managing the mobile devices on your network is no longer as burdensome as it used to be. In order to prevent malicious attacks and to keep your personal information and company data safe, use the above best practices to begin addressing the gaps that currently exist in your mobile security. To summarize:
- What is mobile device security? Mobile device security is the suite of measures you take to protect the information both stored and sent using devices such as smartphones, laptops, tablets, and other portable devices like smart speakers.
- What are the benefits of mobile device security? Benefits of mobile device security include heightened policy enforcement and compliance, more proficient data backup and recovery procedures, automatic device registration, and BYOD support.
- Mobile device security threats – There are numerous threats to mobile device security, including data leaks, unsecured Wi-Fi networks, phishing attacks, spyware, hacking attempts using IoT, and those associated with BYOD. Incorporating an MDM solution into your business can help you navigate these threats.
- Mobile device management solutions – Mobile device management is security software that enables you to monitor and manage mobile devices across your network. This software gives you better control over laptops, smartphones, tablets, and other devices across your network. Features include remote configuration and monitoring, security policy reinforcement, passcode/remote wipe, data restrictions, logging/reporting, and scalability, to name a few.
- Best mobile security practices for small businesses – Best practices include creating mobile device policies, strict password requirements, incorporating biometric features used in devices, blocking malicious applications, encrypting all data, and more.