Mobile Device Security Threats & How To Prevent Them

Published in All Insurance Industry Insights on Wednesday, October 11, 2023

Mobile malware—malicious software designed to gain access to private data on mobile devices—is a growing threat to companies’ cybersecurity. As companies embrace remote work and more employees use their personal devices for work-related tasks, cybercriminals are finding more opportunities to exploit these vulnerable and often unsecured devices to access corporate servers and sensitive information.

The consequences of these cyberattacks can be devastating for organizations. According to Verizon’s Mobile Security Index, 33% of security professionals have reported a security compromise involving a mobile device. In addition, 47% said remediation was “difficult and expensive,” and 64% said they suffered downtime.

Cybercriminals can deploy mobile malware in a variety of ways, including through malicious apps, network-level attacks and even by exploiting vulnerabilities within the device and its operating systems.

The following are common mobile device security threats:

Phishing and smishing —Phishing and smishing scams are the number one security threat to mobile devices, according to IBM. While phishing uses emails and smishing uses text, both strategies involve sending messages that contain malicious links to infect devices with malware or trick victims into sharing account details or business information. Social engineering is often used in phishing and smishing scams by weaponizing key attributes of a victim, such as where they work, their job status and their recent posts, to gain trust and get important information out of them.

Malicious apps —Official app stores like Apple App Store and Google Play have many checks and balances in place to prevent malicious code, but malicious apps may still get through these processes. Once a malicious app is installed, hackers can steal or lock data stored in the mobile device or spread more malware.

Insecure Wi-Fi and network spoofing —When an employee uses a compromised or public Wi-Fi network, their device instantly becomes vulnerable to cyberattacks. Cybercriminals can conduct man-in-the-middle attacks—when communication between two systems is intercepted by a third party—while remaining undetected by the user through insecure Wi-Fi and network spoofing. Insecure Wi-Fi, such as open or free Wi-Fi hotspots, can allow cybercriminals to intercept device network traffic. Network spoofing entails a hacker impersonating a network’s name to trick users into signing in, allowing them to access user data.

Outdated operating systems (OSs) and apps —Older OSs and apps may contain vulnerabilities that can be exploited by cybercriminals. While software patches and updates are often released by developers to address security vulnerabilities, any delay or avoidance in updating an OS or app could put data stored on the mobile device at risk.

Mobile Device Threat Prevention

The consequences of mobile device security breaches can be devastating to an organization, potentially resulting in a loss of profits, data, reputation and compliance. To minimize mobile device security threats, organizations can take the following precautions:

• Train employees. Employees are the first line of defense for protecting mobile devices against malware. Therefore, cybersecurity awareness training can help employees combat scams by teaching them to identify telltale signs of phishing, smishing and malicious apps, avoid public and insecure Wi-Fi networks, and keep their devices’ software up to date.
• Install a virtual private network (VPN). A VPN connection disguises online data traffic and protects it from external access. Unencrypted data can be viewed by anyone who has network access, but a VPN restricts cybercriminals from deciphering data.
• Activate multifactor authentication (MFA). MFA can prevent account compromises by requiring users to provide multiple security credentials to access a device or account. Examples of MFA include entering a code sent to a user’s email, answering a security question or scanning a fingerprint.
• Turn on user authentication. User authentication on mobile devices verifies a user’s identity through one or more authentication methods, such as passwords or VPNs, to ensure secure access.
• Implement a password policy. A strong corporate password policy can ensure that systems and data are as secure as possible. Some best practices include encouraging employees to use unique, complex or long passwords; enabling MFA; and using password management systems.

As mobile devices and their applications become increasingly utilized for work-related activities, companies must remain vigilant in their cybersecurity efforts to mitigate associated risks. For more risk management guidance, contact us today.