Securing smartphones is difficult but necessary to achieve comprehensive organizational security
The proliferation of mobile devices into the corporate network is drastically changing the security dynamics of enterprises. As more employees work from home and many more access corporate resources on the go, there are a many more devices logging into the corporate network compromising enterprise security. As rules of the game change and mobility becomes a part of corporate culture, mobile phones are creating new vulnerabilities in the security architecture and hackers are increasingly targeting mobile phones as an easy entry point.
“Today, we want everything on the fingertips—booking cinema tickets, boarding pass, shopping etc. Digital transformation is bringing about enormous changes in our lifestyle, but it is also exposing us to greater attacks and vulnerabilities.”
Amey Subash Lakeshri, Associate Director, EY
There has been a huge surge in mobile malware attacks sending malicious SMS text messages—also known as smishing—and application links to unsuspecting users. According to Veeam Ransomware Trend Report 2022, the most common entry point for a cyber-attack is still phishing emails, malicious links or website that has dubious underpinnings.
Despite the enormous efforts in educating and training employees, cyber criminals are consistently able to ingress into enterprise networks with innovative approaches by winning the confidence of people. The pervasive use of smartphones to access enterprise networks has opened another floodgate for criminals to gain entry into the network.
Says Amey Subash Lakeshri, Associate Director, EY, “Today, we want everything on the fingertips—booking cinema tickets, boarding pass, shopping etc—from morning till evening, everything we do is on the phone. So digital transformation is bringing about enormous changes in our lifestyle, but it is also exposing us to greater attacks and vulnerabilities as we are witnessing increased attacks via mobile phone in the last two years.”
There has been enormous changes in our lifestyle from pre-pandemic to post-pandemic days. Says Neehar Pathare, CISO, 63 Moons Technologies, “Indians are spending way more time on the mobile phone in the post-pandemic days from 3.7 hrs to 4.7 hours per individual each day, so naturally the number of attacks are increasing as the time of mobile usage increases.”
“We know that giving OTP is dangerous, but giving permissions when we download apps is even more dangerous. So basically, when we download app, we are allowing the app to control our device.”
Yogesh Kumar, Head, IT and Business Applications, Tata Advanced Systems Ltd
Hackers Exploiting Mobile Lifestyle
The pandemic pushed the mobile devices to the front and center of our lives. It has become far more than a device for communication and we started using the mobile to accomplish many routine tasks including meetings, financial services, training sessions, tele-consultation for health, attending school classes, grocery shopping, playing games, watching films and listening to music.
The array of activities spanning personal and professional lives which requires to access company networks, banking information, health care details is fertile hunting ground for hackers. For instance, there has been a huge increase in the number of mobile attacks from around 1330 attacks in 2019 to 12,000 attacks this year.
Conducting these activities requires downloading applications, most of which store data in an insecure manner. The surge in app download is exponential at 2.3 billion, and naturally malicious actors are gravitating towards mobile devices for exploiting vulnerabilities.
According to Blackberry 2022 Threat Report, 76% of tested mobile applications store data insecurely, and this becomes a threat for organizations pursuing BYOD policies and those supporting mobile and remote workers.
Says, Yogesh Kumar, Head, IT and Business Applications, Tata Advanced Systems Ltd, “We know that giving OTP is dangerous, but giving permissions when we download apps is even more dangerous. Sometimes giving permission is a precondition for the app to work, and the app wants to know the location, it wants to access the phone directory and photographs, etc making an ingression into all the private data of the user. So basically, when we download app, we are allowing the app to control our device.”
In fact, getting access to the phone is rather easy as there is lot of personal information floating in public spaces and this information is used creatively to lure users into clicking malicious links. Says Yogesh, “Today it is easy to know personal details of people from social media platforms such as Facebook where we share everything about ourselves. So, hackers entice people with freebies and offers that appear to be genuine and as soon as you click on the link, the malware installs and waits for an opportune time to ingress into the enterprise network.”
What is aiding the process is that people are using weak passwords using familiar combinations such as the name and birth date, etc, which is easily again available in the public forum, thanks to social media.
Another challenge is arises from the popularity of digital payments which is immensely convenient but has a flipside as it often becomes an entry point for malware entry. The QR code is a two-dimensional barcode which can be scanned with the built-in scanner in the mobile device. But this provides perfect conditions for malicious actors to push QR code malware toolkit by replacing legitimate QR codes with fake ones.
Threat actors are using ingenious methods to engineer scams including incorporating QR codes in phishing, a technique known as quishing to bypass traditional security systems. In December 2021, this technique was used in Germany to steal bank information details wherein victims were asked to scan the QR code to allow impersonating bank officer to make changes in the privacy policy.
The Threat to Business and How to Overcome
Given that mobile usage has been ubiquitous in people’s life, it is no longer a personal device. The challenge for enterprises in securing mobile devices is exactly this—where does the personal space end and when does the phone become a business tool.
Even if the device is owned by the organization, it is difficult to enforce discipline because it blurs the boundaries of a personal device in many ways and therefore extending the enterprise security to mobile devices is particularly challenging. So how is this threat panning out in businesses and how are enterprises addressing this challenge.
“A common threat to mobile devices arises is when users tap into public wi-fi networks and hackers take possession of unencrypted data by using man-in-the-middle technique.”
Satyavrat Misra, Vice President and Head, Corporate IT, Godrej Industries
Says Neehar of 63 Moons, “Primarily the mobile device presents three kinds of threats. One is that the screen is small and leads to inadvertent mistakes by users who may click on links that they would not normally do. Second and more importantly is the threat that emerges from stolen devices. And finally, mobile devices are used as a gateway to enterprise resources where the hacker is not interested in the phone data but wants to use it as an access point to more critical data.”
To counter this kind of attacks, robust security architecture comprising VPN, multi-factor authentication, identity-based access to resources must be implemented and enforced.
As an experienced senior IT leader Satyavrat Misra, Vice President and Head, Corporate IT, Godrej Industries says, “A common threat to mobile devices arises is when users tap into public wi-fi networks and hackers take possession of unencrypted data by using man-in-the-middle technique.”
Across the world, there has been significant increase in attacks on mobile phones. Researchers at Proofpoint have detected a 500% jump in mobile malware delivery attempts in Europe in the first few months of 2022 just as mobile devices in North America had been facing similar onslaught. For instance, North America experienced a 300% increase in smishing attacks just the third quarter of 2020.
“A phishing/smishing link is a common way to gain entry into the mobile device wherein the malicious actor tries to trick the user into using the credentials on a fake place, while a mobile malware can lie in wait until the time the user activates a financial application for transaction and steal the data,” says Satyavrat of Godrej Industries.
Although the primary aim of phone malware is to steal user name and password for email and bank accounts, it is easy to underestimate the risk mobile hacking poses to an organization and should therefore operate on an assumption that the phone can be lost or hacked and put in place corporate security strategies to combat it. This includes backing up mobile devices, having in place data classification policy that identifies data that should never leave the network and educating employees to make informed decisions regarding what kind of data should be copied on a mobile device.
Educating employees must be a key plank of countering cyberattacks. Training employees during onboarding about the dangers of clicking on malicious links, being wary about using public wi-fi, how to identify phishing emails and spoofed accounts, and setting up string passwords for phones. It is also important that employees undergo annual refresher courses to update the information.
“Often employees have pre-conceived notions like iOS is more secure, but when people voluntarily give permission to access data, the application can create instability,” says Yogesh.
Mobile device management—MDM as it is generally known—is crucial in extending corporate-grade security to mobile devices and helps to implement several complex solutions. MDM enables to control and monitor devices in several ways including locking and wiping data remotely; data encryption; deliver configurations and updates remotely; access control features; and data containerization.
“Indians are spending way more time on the mobile phone in the post-pandemic days from 3.7 hrs to 4.7 hours per individual each day, so naturally the number of attacks are increasing as the time of mobile usage increases.”
Neehar Pathare, CISO, 63 Moons Technologies
Satyavrat of Godrej Industries says, “I think MDM is a missed opportunity during the pandemic, but we see significant momentum in adoption now. Yet implementing MDM is a complex thing as mobile is seen as a personal device and people do not adhere to guidelines. At the same time, while MDM is a great way to extend corporate security, its implementation needs to be simplified for easy roll out.”
Yogesh from Tata Advanced System also adds that roll out of MDM is difficult as people tend to view the mobile phone as a personal device and are wary of blocking social media and other applications that have become a part of the lifestyle.
A better way to control and secure the phone from a corporate perspective is to enforce containerization wherein the personal and professional data is stored in separate containers keep the data secure in case of attacks, so company data is encrypted and hackers are not able to access critical data.
Going Forward
Securing the enterprise has become more complex in the post pandemic era as it is not just the perimeter fencing that is required but it is equally crucial to secure every mobile device and smart phone employees are using to access corporate information. Not just within the company premises but even as employees work remotely from the comfort of homes, cafes and public spaces accessing the mobile Internet and public wi-fi. Technologies such as MDM enables to wipe out data remotely in case of theft but the challenge for effective MDM implementation continues.
There is no silver bullet to secure the organization and mobile devices. However, experts agree that security policies must be carefully implemented after due weightage is given to data discovery and evaluation of what kind of data is there, where does the data reside, which kind of data needs attention and how to secure that data. Also, good practices such as disabling permission to an app which is not used will go a long way in keeping the device secure.
