Cost vs Security: Mobile Phones and Business Vulnerability

Mobile phones have become an indispensable part of modern life, and the workplace is no exception. They offer incredible convenience, allowing employees to stay connected, access work documents, and collaborate on the go.

However, this convenience comes with a hidden cost: increased vulnerability for businesses. 

Does your company issue mobile phones for your employees to use?  

Do you require only their use for access to work on your company’s systems?  

Or do your employees use their own personal phones?  

Do your employees’ personal phones have all the same security systems and protections on them that you would require of a company phone and to access company resources?  

How do you know for sure?

 

Your company’s workforce might be a security risk. Things to consider: 

Unsecured Devices:

    • Personal vs. Work Phones: Many (most?) employees use their personal phones for work purposes. These devices might (probably) lack the security protocols and encryption software present on company-issued phones. 
    • Weak Passwords and Outdated Software: Employees may not prioritize strong passwords or software updates on their personal phones, leaving them vulnerable to malware and data breaches. 
    • Old Phones: Android and Apple phone manufacturers  provide security updates for a set time period. Depending on manufacturer, phones are supported with updates for between 2 and 7 years. 
image of Android and iPhone cell phones
image containing types of social engineering attacks

Phishing and Social Engineering Attacks: 

    • Mobile-Specific Tactics: Cybercriminals are becoming adept at crafting phishing attacks specifically designed for mobile devices. These attacks may appear as legitimate texts or emails, tricking employees into revealing sensitive information. 
    • Social Engineering on the Go: Employees on the move might be less vigilant and more susceptible to social engineering tactics like phone calls or messages impersonating authority figures. 

     

     

     

     

     

     

     

     

    Unintentional Data Leaks: 

    Things happen. Employees use installed mobile phone software and back-up systems without thinking of the business ramifications. Phones get lost and stolen.  

          • Shadow IT: Employees may use unauthorized cloud storage services or apps to share work documents, bypassing company-approved security measures. 
          • Data Loss Through Lost or Stolen Phones: Unprotected devices with access to sensitive data are prime targets for theft or loss, leading to potential data breaches. 

    Malicious Apps: 

    How often do you read the details of what the app software manufacturer will share or sell of the data you use with the app when you download it? Do you check the permissions the app requests access to each time?

        • Accidental Downloads: Employees might download malicious apps from unofficial app stores or click on misleading ads, unknowingly installing malware that can compromise company data. 
        • Insufficient App Permissions: Lack of awareness about app permissions can lead to granting unnecessary access to sensitive data or system functions. 
    clipart image of cell phone with spyware text on screen

    Android vs iPhone 

    Android phones are generally considered more susceptible to cyberattacks than iPhones, here’s why: 

      • Open vs. Closed Ecosystem: Android is an open-source platform, allowing for more flexibility and customization. However, this openness also means there are more entry points for vulnerabilities. Apple’s iOS operates on a closed system, giving them more control over app distribution and security features. 
    Android vs IOS image
      • App Stores: Apple has a stricter app review process for its App Store, aiming to weed out malicious apps. The Google Play Store, while improved, has a larger volume of apps, and may unknowingly allow malware through. Users can also download apps from third-party stores on Android, which are not vetted and pose a higher security risk. 
      • Fragmentation: The Android platform suffers from fragmentation, with different versions running on various devices. This makes it harder for Google to push out security updates to all users consistently. Apple controls both hardware and software for iPhones, allowing for a more unified and secure system with consistent updates. 

    However, it is important to consider these additional points: 

      • User Behavior: Regardless of the platform, users who engage in risky online behavior (clicking suspicious links, downloading unverified apps) are more likely to be targeted by cyberattacks. 
      • Value as a Target: Due to the larger market share of Android, it may be a more attractive target for some attackers. 

    Overall, both Android and iOS can be secure platforms if used responsibly. However, due to the factors mentioned above, Android presents a larger attack surface for cybercriminals. 

    Mitigating the Risks: Building a Secure Mobile Workspace 

    What can your company do to mitigate the significant risk posed by employees’ mobile phones?  

    Building a secure mobile workspace requires a layered approach that combines technological solutions, clear policies, and user awareness.

    A breakdown of the key steps: 

    MFA for All Applications Image. Lock on Phone
    1. Define Your Needs and Threats:
      • Consider what work activities will be done on mobile devices. This will influence the level of security needed. 
      • Identify potential threats. This could be data breaches from malware, lost devices, or unauthorized access. 
          1. Implement Technical Safeguards:
            • Enforce strong device passwords and enable multi-factor authentication (MFA). 
            • Use a Mobile Device Management (MDM) solution. MDM allows central control over devices, enforcing security policies like encryption and remote wipe capability. 
            • Utilize secure containerization. This creates a virtual workspace on a personal device, keeping work data isolated. 
            • Keep software updated on devices. This includes the OS, security apps, and any work applications. 
          white background with employee hands and BYOD (bring your own device) with description of what is included in the BYOD policy
          1. Develop Clear Policies:
            • Create a clear BYOD (Bring Your Own Device) Policy: Define a clear policy for using personal phones for work purposes. 
            • Outline acceptable use of mobile devices for work purposes. 
            • Define data security protocols, including data encryption and data loss prevention (DLP). 
            • Educate employees on mobile security best practices, like avoiding public Wi-Fi for sensitive work. 
          1. Promote Security Awareness Training and Reporting:
            • Train employees on: 
              • Mobile security protocols 
              • Responsible device usage 
              • Social engineering tactics 
            • Phishing attacks can target mobile devices as well (often called smishing). 
            • Train employees to identify suspicious emails and links. 
            • Reporting: Encourage employees to report any lost or stolen devices immediately. 

              Additional Considerations:

                • Virtual Desktop Infrastructure (VDI) is an option for some organizations. VDI provides a remote desktop experience on the mobile device, minimizing data stored locally. 
                • Regular security audits and penetration testing can help identify and address vulnerabilities in your mobile workspace. 
                • Cloud security solutions: Utilize cloud security solutions with robust access controls and data encryption for secure storage and sharing of work documents. 

              Conclusion:

              By implementing these steps, businesses can leverage the benefits of mobile technology while minimizing security risks. Remember, a secure mobile environment requires a multi-pronged approach, encompassing technology solutions, employee education, and clear company policies. Security is an ongoing process, so staying updated on the latest threats and implementing innovative solutions is essential. By striking the right balance, businesses can empower their mobile workforce without compromising data security. 

              Need help?

              PCA Technology Solutions can help your company determine which tech and security options are best for your business needs. Contact us today if you would like to learn more about how we can assist you.