Once upon a time, enterprises dealt with a single set of devices — their own desktop computer systems — and a user base that was 100% dependent on their in-house solutions. Whether the company opted to build their own legacy systems, hire an outside contractor to build a system for them, or bought an off-the-shelf solution, they had total control over the software, network, devices, and by extension, the users. Users couldn’t install whatever they wanted on their machines, and if they did, IT identified the software and gave it the ax. Sometimes, the employee’s job got the ax, too.
But as in all fairy tales, the dragon arose. The dragon in our story came in the form of mobile devices and apps. A mobile workforce demanded it. IT lost control of much of the network activity, devices, and users. The Age of the Mobile Threat is upon us. But this dragon can be slain. It just requires knowing what threats are facing the enterprise and what can be done to fix it. Here are the scariest dragons in our midst and how you can protect your kingdom.
1. A Lacking Mobile Use Policy
There are three cities in the kingdom: the city with a BYOD policy, the city with a solid mobile use policy (for environments in which the company owns the devices), and the city that has neither. Yes, this city is filled with mobile users and devices, but is woefully unprotected because no use policy is in place. This is a simple fix. Implement a strong mobile policy and make sure the policy is enforced consistently and religiously from the top down. Be sure to include regulations for authentication, where and how passwords will be stored, and policies regarding what devices, apps, Wi-Fi, etc. will be allowed and disallowed.
2. Lacking an Educated User Base
It’s easy to wish users weren’t so clueless. It’s harder to make sure your user base is educated, informed, and regularly updated about the threats out there and how to protect against those threats. The ‘insider threat’ is much more about users that are ignorant than it is about users who are deliberately up to no good. Users need to know why certain emails aren’t safe to open, when it’s okay to use Wi-Fi services and when it isn’t, and why a lost or stolen device is such a critical security issue. Make it clear that mobile security is not just IT’s job; it is everyone’s job.
3. “Man in the Middle” Attacks
A man in the middle attack falls under the umbrella of connection hijacking, and it is the most common kind of mobile threat. It most often happens when a user logs onto your system using a public Wi-Fi hotspot, such as those found in hotels, coffee shops, restaurants, and malls. As the user attempts to log into the system, a nearby hacker hijacks the connection using a rogue access point. The hacker is now the “man in the middle”. The hacker can monitor the transactions between the user’s device and your network, steal sensitive data, forge the legitimate certificate, and engage in DNS poisoning.
4. Legitimate Apps that Mine Your Data
Mobile malware and free public Wi-Fi access isn’t even where the majority of your data gets stolen. Much of the theft occurs as apps installed on users’ mobile devices track the device, user activity, login info, data shared via email, etc. This information can be obtained by the app and sent to virtually anyone, anywhere without your knowledge or the user’s knowledge. Worse, since these apps aren’t “malicious”, even if the user has installed and updated anti-malware, they just breeze right through without raising any alarm.
Mobile attacks are growing in terms of frequency, severity, and sophistication. It takes a vigilant bunch of IT specialists, indeed, to slay this dragon. Learn how to protect the good citizens of your kingdom in the free Mobile Security and Analytics Webinar by Skycure.