According to a recent report released by the cybersecurity firm Kaspersky, 2023 was a record year for attacks on mobile devices. The report on the mobile threat landscape documented over 33 million attacks during 2023, marking a 50 percent increase from the previous year.
The damage can be costly for the individual victim of those attacks. However, it can be catastrophic for the organization where the victim works.
“These devices can pose a significant threat to network security, especially because people often neglect their security measures compared to other devices,” warns Marcelo Barros, Global Markets Leader of Hacker Rangers.
Barros is an IT veteran with a passion for cybersecurity who has played an instrumental role in delivering cutting-edge cybersecurity solutions and services to clients around the world. Hacker Rangers is an online computer security training platform that leverages gamification to make cyber awareness fun and engaging for organizations worldwide. It enhances in-house cybersecurity programs by keeping employees up to date on the latest cybersecurity threats and the most effective ways to neutralize them.
The threat Barros highlights has become more severe over the past several years as remote work has become more widespread. When a mobile device connects with a company’s network — whether by accessing an HR platform, a CRM system, or even Slack — it opens the door to sensitive information, and if that door is not well protected, it becomes a vulnerability in the company’s cybersecurity framework.
“It’s important to remember that most people use the same mobile device for both work and personal use,” Barros points out. “Most policies allow users to bring their own devices and connect to company applications and networks, so their security cannot be guaranteed by IT teams.”
To address this new threat, managed service providers (MSPs) and chief information security officers (CISOs) must take special steps to ensure the networks are safe from intrusion via mobile devices.
Encourage strong authentication
One of the easiest ways for an attacker to get unauthorized access to a corporate network is by stealing an employee’s login credentials. According to IBM’s 2024 Cost of a Data Breach report, stolen or compromised credentials were the 2nd most common initial attack vector.
Additionally, mobile phone thefts are extremely common, with a recent report on crime in London revealing that a phone theft occurs every six minutes in the city. Laptop theft is even more common, with statistics showing a theft every 53 seconds in the US.
Strong authentication protocols, such as multi-factor or biometric authentication, can prevent a stolen credential or device from becoming an open door to the company’s network. At the very least, MSPs and CISOs should encourage users and employees to utilize strong passwords. Another recent report from Kaspersky revealed that 45 percent of passwords could be guessed by cyberattackers using brute force attacks in 60 seconds or less.
Ensure regular security updates
Applications on mobile devices regularly issue updates to address security vulnerabilities. However, if users don’t activate those updates, their devices remain vulnerable, introducing vulnerability to the entire network.
MSPs and CISOs should communicate regularly with users to ensure controls are enhanced with bug fixes, new malware signatures, and other updates that could impact a mobile app’s security capabilities. Announcements that draw users’ attention to feature enhancements, as well as security upgrades, can be more effective in motivating users to take action.
Promote user education and awareness
“Enforcing strong authentication, ensuring regular security updates, and promoting user education and awareness are all important steps toward addressing the vulnerabilities presented by mobile devices,” Barros says. “We often see the last step — promoting user education and awareness — being strongly neglected. Many companies struggle to regularly educate users about the risks associated with mobile devices and provide training on safe practices, such as recognizing phishing attempts and avoiding insecure Wi-Fi networks.”
The steady increase in mobile device usage in the business world has created the need for a new category of employee training focused on mobile cybersecurity. As the workplace has become more distributed in the aftermath of the COVID-19 pandemic, the need for that type of training has become even more urgent.
Ideally, training will provide a general understanding of the unique vulnerabilities that mobile devices introduce to the threat landscape, as well as the specific types of attacks levied in that landscape. By helping employees identify potential attacks and take the necessary steps to repel them, companies can address a common weak spot.
“Phishing attacks, malware, unsecured Wi-Fi connections, and lost or stolen devices are just some of the risks,” Barros says. “The portability and personal use of mobile devices increase their vulnerability, making them critical points of focus for companies’ cybersecurity efforts, especially when it comes to awareness training.”
Mobile devices have empowered new levels of efficiency in the business world by increasing accessibility and portability, but they have also introduced new dangers. As a result, MSPs and CISOs must find ways to balance the cybersecurity risks of mobile devices with the enhanced capabilities they provide. Encouraging strong authentication, ensuring regular security updates, and promoting user education and awareness are all steps in achieving a more secure organization.
link