Security Mistakes Your Mobile Workforce Makes

The surge in mobile computing and BYOD (bring your own device) initiatives is translating to higher productivity and job satisfaction for your workforce—but it’s also creating alluring new opportunities for cybercriminals.

Does your mobile workforce truly understand the new risks in this new era? Do mobile device users know how to avoid the nefarious activities of a new breed of bad guys? Does your IT department know how to secure mobile devices without unduly prohibiting, forbidding, and blocking access to apps, websites, and content? 

Here are five common mistakes workers make in mobilespace—along with tips on how to avoid hidden security risks and, more importantly, how to transform the threats of this new era into new opportunities for higher productivity and job satisfaction.

Mistake #1. Underestimating the risks.
It’s easy for people to assume that mobile devices are less vulnerable to security threats than traditional desktops and laptops. Why? Because the press and analysts have been reporting that malware (malicious software) and other threats are still in their infancy in mobilespace, with few incidents reported even as recently as 2012, and that mobile traffic represents just a tiny fraction of overall network traffic—not enough volume to interest cybercriminals.

Those reports are correct.  But in 2013 the mobile threat landscape is becoming much more active as the adoption of mobile devices continues to accelerate. According to the IDG Global Mobility Study, 70 percent of employees now access the corporate network using a personally owned smartphone or tablet, and 80 percent of employees access email from their personal devices. This increasing traffic volume is attracting the attention of cybercriminals. And traditional attacks—such as malware, spam, phishing, and malicious apps—are relatively simple to extend into the mobile arena.

Simply put, traditional threats are going mobile, and complacency will make them even more dangerous.

High-risk destinations for mobile users that are much more frequently visited include:

• Spam sites: When you respond to unsolicited email or browse computer/technology-related sites you’re at high risk. An example: one of the first offers for an Android version of Skype was actually an on-ramp for malware.
• Web ads: Cybercriminals have been refining “malvertising” for mobilespace. Recently, for example, an ad for an Angry Birds download actually made premium SMS calls and then billed people without their knowledge.
• Entertainment sites: Games and gambling sites are popular destinations for mobile users—and equally popular for purveyors of malware, “phishing” exploits, and phony downloads such as PDFs or browser updates.
• Search engines: As search engines become more widely used in mobilespace, search engine poisoning (SEP) tactics are becoming more prevalent.

Mistake #2. Clicking carelessly.

The mobile webscape is chock full of things to click on. Every web page has clickable links, ads, and offers—and there’s no easy way to tell which are real and which are phony. Even the URL isn’t a reliable indicator of whether the site is genuine. For example, the Yammer mobile app has a different URL than the web-based version, but both are legitimate.

Many “phishing” offers even duplicate the look and feel of legitimate sites—but are in fact designed to trick people into divulging personal information. For instance an employee may receive an email that looks like it’s from PayPal, claiming that their account will be suspended unless they click a link and update their credit card information. But the sensitive information goes directly to identity thieves.

As a tactic, phishing is far more productive than spam in the mobile arena, according to Blue Coat’s research.  So what can employees do to protect themselves? First, be informed. Banks, credit card companies, the IRS, and other legitimate institutions will never request personal or sensitive information via email. Second, the worker should call the company directly if in doubt about the authenticity of a communication.

The second issue with careless clicking is the simple fact that the small screen size of smartphones and tablets makes it easier to hit the wrong thing with your finger. Cybercriminals are well aware of this unfortunate human shortcoming and sometimes exploit it by placing a clickable spam, scam, malware, or phishing-related link in close proximity to a legitimate link. So if you have large fingers or you’re just generally impatient, slow down and click with care.

Mistake #3. Entering passwords in public.

I’m not out to steal anyone’s identity. I don’t care to profit from the profligacy of others. But I could jump-start a new career as a cybercriminal just standing in line at the local coffee house.

People don’t seem to notice that when they type their passwords using a mobile device, the characters they type are not only visible to others but in many cases are actually highlighted one by one on the screen. That’s because mobile device screens are small and people want to confirm that they’ve entered the password correctly before they proceed with their transactions. And that’s why “shoulder surfing” is an increasingly popular tactic used by identity thieves.

Perhaps the reason for this breach of security hygiene is that in the desktop world, when you type your password the characters are usually masked by asterisks, or dots, or something similar—so it’s easy not to notice that the paradigm is different in mobilespace. But be assured—others have noticed.

Mistake #4. Downloading apps outside the app store.

Whether employees are using the mobile web for work or recreation, they’re bombarded with offers of free app downloads. Most are from legitimate sources, but others are not. Some are so-called “drive-by download” exploits that are designed to embed viruses, spyware, or malware onto the mobile device.

How can a mobile worker tell the difference? For all practical purposes, they can’t. The URL may look suspicious but may actually be legitimate; it may look legitimate and actually be phony. The best policy for mobile app downloads: avoid downloading from sites that are mobile-only or that are littered with ads. In general, download apps only from trusted app stores.

Mistake #5: Not telling IT.

When employees do encounter suspicious activity out there in mobilespace, they tend to do one of several things: ignore it, avoid it, investigate it, thwart it, or fall victim to it. What they almost never do is report it.

And that is a missed opportunity on several fronts. First, reports of real-world exploits and threats are a tremendous source of intelligence that the IT department could use to strengthen security, improve post-breach response, and prevent further attacks. That same intelligence could also directly benefit mobile users, because when IT can adequately protect against threats it can ease the restrictions on the apps and content users can access, download, and use.

More intelligence from more sources creates a feedback loop—an upward spiral in IT’s ability to protect, safeguard, and ultimately empower workers to do their jobs the way they want. And when employees and contractors are able to safely and quickly choose the best applications, services, devices, data sources, and websites the world has to offer, they are liberated to create, communicate, collaborate, share, and produce.

It’s not difficult to understand why mobile workers don’t report suspicious apps and content and URLs to the IT department.  There is typically no process in place for doing so; nor is there typically any indication that IT would welcome such input. Further, all too often there is an undercurrent of distrust between the workforce and the IT department. In many cases employees assume that the role of IT is to block, prohibit, forbid, control, constrain, and exclude. On the other hand, IT can sometimes see employees as irresponsible, sneaky, and untrustworthy.

This must stop. And enlightened enterprises are beginning to realize that security is actually a means of stopping it. The right security technology, implemented the right way, can put an end to the vicious cycle of mutual distrust and transform it into an upward spiral of enablement—where security is no longer only about preventing the unthinkable but also about exploring the possible. 

Join the CSO newsletter!

Error: Please check your email address.

Tags BYODBlueCoatsecuritymobile workforcemobilitycybercriminalsBYOD securityABCs on mobile security

More about Blue Coat SystemsIDGIRSIRSPayPalSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Schoenfeld

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place