We still call the mobile devices in our pockets “phones,” but they’re really much more than that.
Today’s mobile “phone” is a networked computer, a data storage device, a navigational device, and a sound and video recorder. It’s a mobile bank and social network hub, a photo gallery, and so on. All of these functions make our mobile devices extremely attractive targets for malicious actors.
Phone security is the countermeasure to their malicious attacks. It’s about defending against the wide range of mobile security threats confronting our mobile devices.
What is phone security?
Phone security is the practice of defending mobile devices against a wide range of cyber attack vectors that threaten users’ privacy, network login credentials, finances, and safety. It comprises a collection of technologies, controls, policies and best practices.
Understanding mobile security threats
Attackers are after our phones. They want to take control of them so they can use our mobile processing chips to mine cryptocurrencies or make them part of botnets. They are after our identities and accounts, which they can steal and sell for as low as pennies and as high as thousands. Our mobile wallets and financial information can be hijacked for the benefit of thieves.
Mobile security threats also include theft of login credentials for corporate networks. Indeed, mobile phishing attacks, which use texts and emails to trick recipients into clicking on malicious URLs, are up 85% in the last year.
What are mobile security threats?
A mobile security threat is a means of cyber attack that targets mobile devices like smartphones and tablets. Similar to a hacking attack on a PC or enterprise server, a mobile security threat exploits vulnerabilities in mobile software, hardware, and network connections to enable malicious, unauthorized activities on the target device.
Mobile security threats to watch out for
Unfortunately, there are many different kinds of mobile security threats. New attacks regularly come to the attention of cybersecurity experts, the following are among the most common:
- Web-based mobile threats. Mobile websites can download malware onto our mobile devices without our permission or awareness. Phishing is a typical way attackers get us to click on links to sites containing mobile threats. For example, a hacker might set up a website that looks legitimate (e.g. like our banking site) to capture our login credentials. What can we do about web-based mobile threats? Security software on our phones can help detect malicious websites and phishing attempts. It also pays to be extra careful and attentive. For example, the IRS will never send an email requesting our tax data. (They only use the US Postal Service.) An email pointing to an IRS website is almost guaranteed to be a scam.
- App-based threats. Hackers create malicious apps that we download or even buy. Once installed, these apps can steal our personal data from our devices or spend our money with our tap and pay apps. It’s a good practice to check charges and purchases carefully. Keeping mobile software up to date also helps defends against malicious apps, as device makers periodically update their software to patch vulnerabilities that these apps exploit. The goal is to protect the information stored or accessible through the device (including personally identifiable info-PII, social accounts, documents, credentials, etc.).
- Network threats. Mobile devices are usually connected to at least two networks. and sometimes more. These include cellular connection, Wi-FI, Bluetooth and GPS. Each of these points of connection can be exploited by hackers to take over a device, trick the user or penetrate a corporate network. WiFi spoofing, for example, is a threat in which an attacker simulates the access to an open WiFi network and tricks users into connecting to then sniff sensible data that are being processed by this network. The suggested best practices are to switch off antennas that are not in use and make sure security settings are configured to prevent unauthorized WiFi access.
- Physical threats. This may sound obvious, but mobile devices are small and easy to steal. They also get lost pretty often. Without adequate security, a stolen mobile device is a treasure trove of personal and financial information for a crook. To mitigate physical threats to mobile devices, it’s wise to establish strong passwords and set up the device to lock itself when not in use. Anti-theft tracking software also helps recover a phone that’s gone missing.
These malicious actors sometimes even hide inside well-known and useful free apps that exploit vulnerabilities or take advantage of certain permissions to then download the malicious aspect into the phone. It’s important that, when an app asks for these permissions, their use is justified.
What Can Companies do to Implement Mobile Security?
Organizations that provide mobile devices to their employees or let them use their personal devices for work must first establish strong security measures. The risks are simply too high for IT departments and CISOs to treat mobile security as a secondary priority. Based on our experience working with enterprises in mobile security, we recommend taking the following steps:
- Establish a clear mobile usage policy.
Mobile devices should be included in organization-wide security policies. Mobile security policies ideally will cover acceptable use, anti-theft measures, mandatory security settings and more. The policy framework must include compliance monitoring and the remediation of deficiencies.
- Segment data and apps on enterprise devices.
It is a good practice to segment mobile users into role-based groups with varying levels of access privilege. This reduces the exposed attack surface area if one device gets compromised. Segmenting applications will also prevent users from installing unwanted software that might end up infiltrating your network.
- Encrypt and minimize visibility into devices that have access to the company network.
If a device gets compromised or stolen, it’s best if the malicious user cannot easily access data on the device. Nor should taking over a mobile device becomes a free pass to the enterprise network. Achieving this objective involves including mobile devices identities and users in a comprehensive identity and access management (IAM) system.
- Install security software on mobile devices.
This is a basic, but essential countermeasure. SecOps teams should treat mobile devices like any other piece of hardware on the corporate network.
- Monitor user behavior.
Mobile users often don’t know their devices are compromised, or how sometimes they put themselves at risk. Monitoring user behavior can reveal anomalies that could point to an attack that is underway. In addition, automated monitoring will also prove crucial when making sure your organization’s mobile security policies aren’t infringed.
- Build mobile security awareness through training.
People are accustomed to consumer-type freedoms on mobile devices. It’s a wise policy to build awareness of corporate security risks inherent in mobile technology. Security training programs ought to include the topic of keeping mobile devices secure, what activities belong in their enterprise devices (and which ones don’t), and what day-to-day practices they can implement to avoid falling victim to common threats.
Securing Your Phone
In 2017, the number of new mobile malware variants increased by 54%. This makes it more crucial than ever to take the necessary steps to protect your personal device from mobile threats.
- Set up fingerprint or face recognition
Losing your phone is probably not uncommon, and having a secure passcode (especially something like fingerprint/facial recognition) will keep your phone safe from anyone who might happen to find it.
- Use a VPN
VPNs essentially provide you with a secure phone connection to a private server, instead of you having to share it with everyone else on the public network. This means that your data is safer because it is encrypted as it travels from server to server.
- Enable data encryption
Many devices already have encryption enabled, if your device doesn’t, you’ll need to set that up. Data encryption can protect your information from hackers by scrambling it in a code they don’t recognize as it travels from server to server (when it’s most vulnerable).
- Set up remote wipe capabilities
This ability enables you to remove any data from your phone, even if you no longer have the physical phone itself. It’s a great safety feature in case your phone is lost and you can’t find it. The process to set up remote wipe differs by device. This guide from the IT department at Northern Michigan University will outline how to enable remote wipe, whatever device you have.
How Can You Make Your Android or iPhone More Secure?
Mobile Protection for Android Users
1. Only buy smartphones from vendors who issue patches for Android
2. Do not save all passwords
3. Use two-factor authentication
4. Take advantage of built-in Android security features
5. Make sure your WiFi network is secure (and be careful with public WiFi)
6. Use the Android security app
7. Back up your Android phone’s data
8. Buy apps only from Google Play
9. Encrypt your device
10. Use a VPN
Mobile Protection for iPhone Users
1. Keep your iPhone operating system (iOS) up to date
2. Activate the “find my iPhone” feature
3. Set up a passcode longer than the 4-number preset
4. Enable two-factor authentication
5. Set the phone to “self-destruct” i.e. wipe itself after 10 failed password attempts
6. Regularly change your iCloud and iTunes passwords
7. Avoid public Wi-Fi and only use secure Wi-Fi
8. Use only trusted iPhone charging stations
9. Disable Siri on the iPhone lock screen
10. Revoke app permissions to use the camera, microphone, etc.
As hackers continue to target mobile devices, it’s time to take phone security and mobile security threats more seriously. Mobile devices are just as vulnerable, if not more vulnerable, than PCs and other types of computer hardware. They are exposed to threats in the form of malware, social engineering, web attacks, network attacks, and physical theft.
Whether you are in charge of an organization’s security, or you are looking to protect your own gadgets, be someone with a plan. Start with awareness training and robust security policies, and then move towards taking more technical countermeasures to mitigate the risk.