Raising awareness quickly: Explaining BYOD and mitigating mobile risks

As part of National Cyber Security Awareness Month, Rapid7 is publishing a series of easily emailed awareness tips. Last week, CSO shared the letter addressing the topic of phishing. Today, the topic is BYOD and mobile risk.

Note: For the previous letter on phishing, see this article.

"There has been an exponential growth in mobile malware these past few years, as smartphone and tablet adoption takes off," Saj Sahay, the director of mobile security at Rapid7 told CSO.

[Social media, mobile phones top attack targets]

"Cybercriminals are increasingly targeting mobile devices, not only because of the growing use, but because with the hundreds of device choices available it's a herculean task for most organizations to understand their risks. User involvement in keeping their devices secure is the best way to mitigate mobile device risk."

What follows is a brief primer of BYOD and mobile risk, which can be easily copied and freely shared within the organization.

What is BYOD (Bring Your Own Device)?

These days the majority of people in the workplace own either a smartphone (like an iPhone, Android phone Windows mobile) or a tablet device, or in many cases, both. Frequently these mobile devices are used for all aspects of your personal AND professional life, for example if you have your company email on your mobile phone, or take notes during meetings on your tablet. This is BYOD: mobile devices that you bought for your own use, through which you also access work-related data.

It's easy to take this for granted and not consider the confidential nature of the information you're accessing on these devices, but even seemingly insignificant information may provide an attacker with an opportunity. Given that so much company information is either stored or accessible through our mobile devices, it is very important to keep these devices secure. The good news is that it's really not that hard to do. Below we're identified a few simple steps that will help you protect your personal and company-confidential information from being accessed and exploited by strangers.

Let's go through some of the security issues with BYOD, and learn the simple actions we can take to help protect our devices from harm.

Threat #1 -- Lost or Stolen Mobile Devices

More than 1 in 3 mobile devices are either stolen or lost by their original owner. In fact, stealing smartphones is the #1 crime in New York City! Not only does the smartphone have resell value, but the value of the data accessible from the device can sometimes exceed the resell value of the device. Just think how valuable your banking information and account passwords stored on the device can be to a thief!

How Can You Protect Yourself?

First, make sure to password lock your device! Unfortunately, less that 40% of users enable the passwords on their mobile devices, and they say the biggest reason is that it's too much of a hassle, but it's actually very quick and easy to do and makes a huge difference in terms of protecting your device. The whole point of a password is to keep untrustworthy people out of your device. To enable a password, go to the Settings in your phone. If you can't easily figure out how to do it, your IT team will probably be happy to help!

Second, enable the "Find Your Device" feature available on most of the major Operating Systems, like Apple's Find My iPhone. If your device is ever misplaced, you can sign into Apple's iCloud and see exactly where your device is. You can also wipe the device remotely if it's in a location that you don't recognize or trust, so your confidential information is not compromised.

[Is mobile anti-virus even necessary?]

Threat #2 -- Untrustworthy Apps

With more than 100 billion mobile apps downloaded since 2008, its no wonder that 4 out every 5 minutes we spend on mobile devices is on an app. Criminals who aim to steal your data are not unaware of this trend. For example, 97% of malware (malicious software) on Android smartphones is from apps that were downloaded from untrusted app stores.

These apps can look perfectly legitimate, but are usually loaded with malicious functions and once downloaded, expose the device owner to severe risk, sometimes even leading to the complete loss of control of the device to the attacker. A good example is Bad Pigs, which was a malware-laden app found earlier this year masquerading as the popular "Bad Piggies" game. Could you tell them apart in the link provided?

How Can You Protect Yourself?

Only download apps from trusted marketplaces, like Apple's iTunes and Android's Google Play stores. The qualification and filtration processes for apps to be included on these officially sanctioned marketplaces will significantly minimize any chance of your device being infected by malware. There are more than 2 million apps available between Apple's, Google's and Microsoft's app stores, so you'll never have to worry about finding the ones that suit your needs!

Threat #3 -- Unpatched Mobile Devices

No software is perfect, and the stuff on your phone is no exception. The problem is that the flaws can often create opportunities for attackers to exploit and take over your device. This is why the software makers often release multiple versions in quick succession (as with the recent iOS 7, iOS 7.01 and iOS 7.02 releases).

This is called "Patching" and the responsibility for doing it on your mobile devices lies primarily with you. Less than 20% of devices in the US are updated at any time, resulting in 49% of Android and 18% of iOS devices containing at least one high severity vulnerability that is waiting to be exploited.

How Can You Protect Yourself?

It is crucial that you update the software on your phone whenever new versions are released. You can check by going to the Settings menu for your device, and looking up if there are any Systems Updates available. This simple step is by far the best way to eliminate mobile device risk, but so few people actually complete updates on a timely manner. Once the updated is completed, you can be sure that hackers cannot exploit older vulnerabilities on your device to gain access to your confidential information!

All the recommended actions are simple in nature, and don't take too much time to execute. By completing these actions, you will be able to rest comfortably knowing that you have minimized the risk of your mobile device being compromised by someone wanting to do you harm.

Join the CSO newsletter!

Error: Please check your email address.

Tags consumer electronicssecurity

More about AppleCSOGoogleMicrosoftRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Steve Ragan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts