Mobile Endpoint Security: Still the Crack in the Enterprise’s Cyber Armor

This article originally appeared on Dark Reading.

A combination of best practices and best-in-class technology will help keep your enterprise from falling victim to ever-growing threats.

There are plenty of security solutions in place that protect sensitive data in motion, and at rest in enterprise storage and the cloud, from firewalls to data loss prevention software. But the mobile endpoint is one of the biggest security weaknesses today. Hackers know this and are exploiting it every day — Verizon’s “2020 Mobile Security Report” found that four in 10 companies were breached through a mobile device.

Mobile devices have been at the crux of some of the year’s most notable and high-profile attacks. Amazon CEO Jeff Bezos’ alleged iPhone compromise incident became a key example of how mobile devices can be penetrated without sophisticated brute-force hacking or techniques.

Simple phishing is the most common way mobile devices are compromised, and this threat is on the rise thanks to the increase in mobile device adoption and the surge in remote work during the COVID-19 pandemic. Not surprisingly, there was a 37% increase worldwide in enterprise mobile phishing between fourth quarter of 2019 and the first quarter of 2020, according to Lookout. Malicious Wi-Fi hotspots and malicious applications are other common entry points to mobile device compromise.

What Happens if Mobile Device Security Fails

A lapse in mobile endpoint security can present significant threats, particularly when it comes to enterprise environments.

Mobile ransomware payloads can result in some of these worst outcomes, as these are notoriously difficult to detect and remove from mobile devices. Once a successful malware payload is dropped through a common attack method, such as a text phishing attack or a malicious app download, an attacker can move laterally across the corporate network the device is connected to, locking files across other devices and asking for ransoms.

Spyware payloads provide an attacker with the ability to plug into an enterprise network via the mobile device or even access the devices’ microphone, camera, or location services. Information obtained by device snooping can then be sold on the Dark Web to the highest bidder or be used to launch subsequent, sophisticated phishing attacks on other employees.

If an attacker creates a sophisticated phishing attack disguised as a user’s bank, it’s easy to mistakenly enter sensitive account credentials to a phony login prompt on a mobile device. The same can occur with enterprise apps like Microsoft 365 or Dropbox. Entering this login information can give the attackers everything they need to enter into a corporate account and exfiltrate critically important company data.

Mobility and Enterprise-Grade Security

There is no way to guarantee security in a mobile world. In addition to device security solutions like endpoint protection or application security solutions such as cloud access security brokers, and basic precautions like avoiding public Wi-Fi and utilizing a VPN, there are other best practices for securing the mobile endpoint. A combination of best practices and best-in-class technology solutions will help safeguard your enterprises from falling victim to ever-growing threats:

  • Ensure devices OS and apps are up to date: Make sure any devices connected to a corporate network are updating their operating systems frequently, as many updates include patches for vulnerabilities that can be used by hackers to exploit mobile devices. Turn on “auto update” for applications so that the latest patches for the applications themselves are being pushed to the device once available.
  • Use only sanctioned apps: All devices that touch an enterprise environment should download only their apps from official app stores like Google Play and the Apple App Store. Hacker groups have been known to create duplicate apps available from third-party websites that are laced with malware.
  • Invest in employer training security: Employees are the weakest security link in an enterprise environment. It’s critical that they have the knowledge and training to not take the bait and click on malicious links or fall for social engineering attempts. Security technologies are often left with limited options once malware has infiltrated a device.
  • Require encryption: Encryption needs to be a requirement on sensitive corporate documents and communications. Your level of encryption should be congruent with the sensitivity of the business your organization conducts. For example, a top financial services firm should be very strict about its document and communication encryption policies and ensure its employees are only using sanctioned, communications platforms that are end-to-end encrypted and within the bounds of company compliance regulations.  
  • Strong passwords and password management: Implement a stringent company password policy. Require random characters, nothing shorter than 15 characters in length, and ensure employees don’t use the same password across enterprise and personal accounts. It’s also important to utilize the principle of least privileged access.

The Threat Continues

Mobile device attacks will continue to grow as more devices come online and as business users stay in a remote working environment. By sending, receiving, and storing important corporate data on their personal mobile devices, users are putting their organizations at risk and treating mobile security as an afterthought. It’s critical for enterprise employees to stay vigilant, use best security practices, and not underestimate the value and sensitivity of the data being shared across mobile devices.

DarkReading