Mobile Security – What You Should Teach Your Employees to Safeguard Your Organization

In March 2020, one of the largest pharmaceutical chains in the US – Walgreens – revealed that they suffered a data leak due to an internal error. Walgreen’s mobile app was affected by a technical error that misconfigured its messaging feature. This allowed some users’ personal messages to be viewed by other users. The leaked data consisted of customers’ names, prescription numbers, drug names, store numbers, and shipping addresses. No financial information and social security numbers were exposed.

In a statement, Walgreens mentioned that they “promptly took steps to disable the message viewing feature within the Walgreens mobile app to prevent further disclosure until a permanent correction was implemented to resolve the issue”. While it was not mentioned how many customers were impacted by this incident, it’s safe to assume that the number isn’t small given Walgreens’ massive customer base.

Here, we will discuss the implications of BYOD in the workplace – specifically, mobile devices, their security vulnerabilities, and how to mitigate these risks so as to ensure cybersecurity.

Current trends of BYOD

Bring your own device (BYOD) refers to the growing practice of employees using personal devices to engage in work-related activities. By 2022, the BYOD market value is estimated to reach $366.95 billion. There are numerous benefits of BYOD:

• It promotes employee efficiency as they are already familiar with the device and its functioning.
• It boosts productivity as employees are more comfortable with utilizing their own devices to execute tasks. Moreover, most personal devices are installed with the newest software that optimizes operational capacities.
• It is a cost-effective practice as organizations do not have to bear the expenses for employees’ devices and consequent repairs or maintenance.
• It provides employees with a higher degree of flexibility as they can complete tasks from anywhere and anytime with minimal restrictions.
  

While BYOD has been advantageous to organizations in many aspects, it has contributed to an increase in the frequency and sophistication of cyberattacks. Cybercriminals often view personal devices – especially mobile phones – as a gateway to launch larger organizational-level cyberattacks and gain access to coveted and sensitive data. 

Common security threats of mobile devices

Mobile phones are one of the most popular personal devices used in organizations due to their compact size and multi-functionality. However, they can also be affected by security vulnerabilities on different fronts – application, web-based, network, and hardware. In 2020, it was found that 97% of organizations suffered at least one cyberattack via mobile phones.

Data leakage mainly occurs due to the installation of malicious apps. Although these apps look legitimate, they usually ask for a range of permissions that provide access to a device’s folders and files. This can be dangerous as sensitive organizational data can be easily accessed.

It is quite common for employees to store personal and corporate data on their phones. As such, unattended, lost, or stolen mobile devices are a huge security threat to organizations.

Wi-Fi networks are available in most public spaces like malls, coffee shops, and gyms, which enables mobile users to execute tasks from anywhere. However, many of these networks aren’t properly secured, monitored or, encrypted. Threat actors may exploit this vulnerability to launch IP spoofing or Man-in-the-Middle attacks.

Way too often, employees practice poor password etiquette – they use the same password for both their work and personal accounts. Or, they use very common and weak passwords. This allows cybercriminals to conduct different types of brute force attacks – credential stuffing being the most common one.

Using outdated software and OS, as well as failing to update security patches can make mobile devices highly susceptible to cyberattacks. This also makes it harder for organizations to detect cyberattacks in time and mitigate the damage. 

Phishing is a social engineering practice where victims are contacted via email or a text message by threat actors pretending to be a legitimate professional or an organization to trick them into sending sensitive data, money, or installing malware. While malware is a major security concern, another common threat is spyware. Spyware is usually installed by clicking on a malicious link or an illegitimate advertisement. Threat actors can then secretly observe and collect data on their victims. For example, it recently came to light that numerous prominent activists, journalists, politicians, royal family members, etc. were targeted with NSO’s Pegasus spyware.

What you should teach your employees to protect your organization

Mobile phones have become a necessity in today’s digitized society and an essential tool in the corporate world as well. As such, organizations should take the necessary steps to mitigate the risks presented by the above-mentioned vulnerabilities.

1. Educate your employees on how to operate mobile devices efficiently in the workplace. Raise awareness about the dangers of unchecked vulnerabilities and the possible cyberattacks that may occur as a result. Regular training and testing should be conducted to ensure that they are aware of the cyber safety protocols to be followed.
   
2. Make sure your employees understand the importance of updating their devices’ OS to the latest security patches to eliminate any vulnerabilities that cyber attackers could use to their advantage. Invest in endpoint detection programs (EDR) and mobile device management (MDM) to further reduce security risks.
   
3. Your employees’ mobile phones most probably contain both personal and corporate accounts. Explain to them the importance of good password etiquette. This includes using strong, unique, and different credentials across all accounts. Additionally, employ encryption tools, multi-factor authentication, CAPTCHAs, etc. for added security.
   
4. Instruct your employees to install security controls like antivirus, antimalware, firewalls, etc. on their mobile devices to secure them from any data breaches. Furthermore, maintain proper records of which mobile devices are connected to your organization’s network. The record should contain the time stamp, location, what informations was accessed and, by which employee. Moreover, monitor your organization’s networks and systems for any suspicious behavior.
   
5. Explain to your employees why they must be vigilant when downloading apps. They need to ensure that the apps are verified and are from legitimate providers. Elaborate on the importance of being wary of apps that ask for too many permissions to access their devices’ information.

Educating your employees on responsible digital practices is crucial. However, you must implement multiple levels of security to minimize the risk of successful cyberattacks. Your organization most likely stores large volumes of critical information. The very first step you must always take is to create a robust system of data access management, making sure that each piece of data can only be accessed by those who require access to it to perform their daily tasks.