The risk of attack is getting closer – mobile devices in focus
Smartphones are part of everyday life, either for private or professional use. However, while many users have taken basic measures to protect their desktop PC or laptop, this is not the case for mobile devices. A study by Consumerreports.org showed that in 2014 one third of all American smartphones did not have a single security measure, neither a PIN code, nor anti-virus software, let alone encryption. This may look different for professional and enterprise managed devices, but many use their personal mobile device at least partly for professional purposes. This means that links, files, photos, contacts and other internal company data are stored on personal smartphones. This makes easy pickings for a thief or digital attacker.
It is no wonder that the Federal Office for Information Security (BSI) in Germany has recently warned consumers of increasing hacking attacks on smartphones, tablets and laptops. “These devices are often only inadequately protected and are easy prey for cybercriminals,” says BSI President Arne Schönbohm. According to Schönbohm, the BSI detects three critical weaknesses in the most common software products on average every day. For the Android operating system, more than 15 million malicious programs exist. According to BSI, there is also a strong increase in the distribution of spam messages with malicious attachments.
Most attacks are economically motivated. When computers in company networks are well protected, smartphones are easier targets. A smartphone without protection can contain precisely the information needed to launch a successful spear phishing attack.
Spear phishing is often used in conjunction with CEO fraud, which is currently a major trend in targeted attacks. This involves tricking employees either by email or telephone into believing that a senior executive urgently needs to transfer files and documents. A study by cybersecurity manufacturer Proofpoint found that CEO fraud attacks have increased by 45 percent between July–September 2016 and October–December 2016. Companies of all sizes were affected, especially in the areas of manufacturing, retail and the technology sector. To trick employees, the attackers must have extensive and privileged internal information. These do not have to be hard facts, attackers often rely on referring to e-mail history, project responsibilities, and existing documents. Exactly the kind of data, which is stored on a smart phone, even if it is only used sometimes for business.
Professional information on mobile devices must be protected, no matter whether the device is used privately or for business. This can be done for example by using digital containers, which protect sensitive data like a virtual safe which only releases data once a secure connection is established to the company network. It goes without saying that secure connections to a company network should be made through a Virtual Private Network (VPN) with two-factor authentication. Standard security measures should not be neglected just because the mobile device is running Android or iOS. Backup, anti-virus software and spam filters ensure security and prevent many unnecessary incidents.