Your organization is becoming trendy and everyone is using smart phones. Hey! There’s a new app that accepts payments on smart phones… oooh, and it can transfer funds.
Hold on! What are you getting yourselves into?
How does the use of smart phones affect an organization’s security?
The short answer is – be careful. For the most part, phones and tablets (mobile devices) are susceptible to the same threats as computers. The real problem is that they are often not subject to the same company policies and oversight.
Common vulnerabilities between mobile devices and computers:
- Malware. The quantity of malware is not as pervasive as in PCs, but has been increasing as smart phone usage increases.
- Eavesdropping. Mobile devices can access the same networks as computers and are just as vulnerable to eavesdropping using techniques like packet sniffing and other transport layer vulnerabilities.
- Unauthorized access. Users tell devices to remember passwords or may not auto-lock devices when idle, making unauthorized access easier.
- Theft. Just like laptops and desktops, and maybe more so due to size, mobile devices can be stolen and data compromised.
Additional vulnerabilities of mobile devices:
- Unsafe applications (apps). Many apps request permission to access parts of your device not necessary to running the application and may transmit information back to developers. RiskIQ conducted a study in 2015 and found that more than 40,000 (or 11%) of the 350,000 apps which reference banking in the world’s top 90 app stores contain malware or suspicious binaries. Roughly half of those (20,000) actually contained Trojan malware.
- Lack of oversight. IT departments may not track or regularly review mobile devices for risks and vulnerabilities. Additionally, organizations may lack formal policies regarding mobile device usage.
Based on the vulnerabilities, you probably guessed the recommendations. Empower your IT department with a formal policy that allows them to review device access and regularly scan devices for malware or unauthorized access. In this policy, include what kind of connections are allowed, when and how they are used, and processes for resolving support issues. Implement dual factor authentication for sensitive applications. Enable remote wiping of a compromised device, if your written policy allows it. Provide regular user training to make employees aware of these threats and best practices.
To summarize, mobile devices and applications are subject to many of the same risks as computers as well as some unique risks. Being aware of these risks and strategically planning to reduce them will allow your organization to safely use the latest, trendy, technology.