Your people are threatening your mobile device management security strategy
Weekly, even daily, there’s another story about ransomware, a corporate breach, or the leak of sensitive data due to a mishandled mobile device. Yes, if your mobile device management (MDM) security strategy has controls properly set and policies in place, then your risk can be reduced. However, risks can come through avenues that your MDM isn’t going to be able to prevent.
“For instance, a well-crafted phishing email comes in and it’s going to go through the MDM system just fine like any other email,” warns Matthew Cross, Vox Mobile’s Senior Director of Technology Services. “Your first line of defense is your end users.”
Your end users are your biggest risk and making sure they’re educated on what to look for could close the biggest gap in your mobile device security strategy.
Educate employees on mobile security
Phishing emails and texts
Phishing emails have been around for a long time and are getting more sophisticated. They often look like real emails, from financial institutions, friends, even from within the company. However, they are just a bit off and looking more closely makes these clues really stand out. Even with precautions in place, phishing emails are a prevalent way for cybercriminals to highjack corporate email accounts and infect computer networks.
Once an organization exceeds 1,000 employees, the likelihood of a phishing incident reaches 85% and continues to increase exponentially as the employee count climbs. These often go unnoticed, because the malware is deployed, credentials are stolen, remote access is gained, data is stolen, and additional compromises happen.
And now mobile phishing, using texts, is on the rise. Since more users are relying on their smartphones and tablets, and texting is a common form of communication, hackers have found ways to exploit those vulnerabilities as well. From shipping and prize notifications that link to fraudulent sites to tech support notifications that ask users to provide passwords and other sensitive details, users are less suspicious when they receive these kinds of texts.
Educating users on what phishing attacks look like on a variety of devices is key. They also need to know how to react to requests for information and how to ensure any communications they receive are from trusted sources.
“Just because an app is free and looks like fun, doesn’t mean you should download it,” advises Tristan Sitz, Technical Pre-sales Engineer at Vox Mobile. “Be picky. You wouldn’t just eat something a stranger handed you.” From innocuous spyware—think Facebook—to business-ending ransomware, malicious apps carry a dangerous payload.
This is especially important on personal devices and bring your own device (BYOD). Let’s say a user downloads a Sudoku game and it ends up being spyware or ransomware, your corporate data is safe, if you have a mobile device management platform and corporate and personal data are siloed. Unfortunately the personal data on the device is probably not, so educating users how to protect themselves when using BYOD can incentivize them to be more cautious.
When it comes to corporate-owned devices, depending on the security requirements of your organization and the restrictions of your industry, you may not want to include even everyday apps that could infringe on your security (like Facebook). It comes down to this, just because someone wants an app on their device doesn’t mean they should have it.
Social engineering remains a top cause of data breaches on mobile devices. Manipulating users into making security mistakes or giving away sensitive information can be very lucrative and easy. Usually involving clicking a malicious link or opening a file, social engineering is the top cause of data breaches on mobile devices.
Mobile users are at higher risk because mobile devices only display the sender’s name, making it easier to trick the reader into thinking it is someone they know. The limited display area, with smaller text and larger buttons, triggers users to respond to attacks using their devices. What makes this even worse is the way people often multi-task while using their devices which amplifies the effectiveness of the attack.
Educating users on what to look out for and teaching them to not “just react” to a message is the foundation for preventing these attacks. Have double or triple-check protocols in place before someone shares sensitive data or makes a payment to an organization that may look legit but may not be. The more sophisticated your trainings against social engineering, the better to outsmart them.
Lost and stolen devices
Before the implementation of mdm solutions, when an unmanaged device was lost or stolen, the threat of that device being hacked and opening a portal into your organization was pretty high.
“If a device is stolen or lost and the user doesn’t report it until a week later, that’s a week that the device could be compromised,” explains Cross. “If the missing device was reported right away, it could have been wiped of all the corporate information.”
Sometimes people are afraid to admit they lost a device or they think it will turn up. What they don’t realize is that for every hour the device is missing, the more likely it is to be compromised and a breach could occur. Setting policies that influence users to report devices can really help you maintain control over those devices, both personal and corporate owned. Once reported the device can be locked and wiped, making it of no use to whoever has it.
Sitz reminds us, “The securest devices are the ones no one can use.”
Protecting your devices and your people
Building a secure mobility management foundation that can last doesn’t have to be difficult. With Vox Mobile as your managed mobility services partner, you know your mobile devices are protected. Our decades of experience managing mobile device security strategy for customers in all industries means we’ve seen it all and we’re constantly finding ways to outmaneuver the bad guys. We make it possible for you to gain visibility and control of your mobile devices, apps, and data, and provide you with proven best practices when it comes to developing and enforcing security policies for users.
Find out how Vox Mobile’s enterprise mobile device security strategy services can reduce the demand on your IT resources, expand your support capabilities, and lower mobility costs.
Schedule a Security Threat Assessment today.