The surge in mobile computing and BYOD (bring your own device) initiatives is translating to higher productivity and job satisfaction for your workforce—but it’s also creating alluring new opportunities for cybercriminals.
Does your mobile workforce truly understand the new risks in this new era? Do mobile device users know how to avoid the nefarious activities of a new breed of bad guys? Does your IT department know how to secure mobile devices without unduly prohibiting, forbidding, and blocking access to apps, websites, and content?
Here are five common mistakes workers make in mobilespace—along with tips on how to avoid hidden security risks and, more importantly, how to transform the threats of this new era into new opportunities for higher productivity and job satisfaction.
Mistake #1. Underestimating the risks.
It’s easy for people to assume that mobile devices are less vulnerable to security threats than traditional desktops and laptops. Why? Because the press and analysts have been reporting that malware (malicious software) and other threats are still in their infancy in mobilespace, with few incidents reported even as recently as 2012, and that mobile traffic represents just a tiny fraction of overall network traffic—not enough volume to interest cybercriminals.
Those reports are correct. But in 2013 the mobile threat landscape is becoming much more active as the adoption of mobile devices continues to accelerate. According to the IDG Global Mobility Study, 70 percent of employees now access the corporate network using a personally owned smartphone or tablet, and 80 percent of employees access email from their personal devices. This increasing traffic volume is attracting the attention of cybercriminals. And traditional attacks—such as malware, spam, phishing, and malicious apps—are relatively simple to extend into the mobile arena.
Simply put, traditional threats are going mobile, and complacency will make them even more dangerous.
High-risk destinations for mobile users that are much more frequently visited include:
• Spam sites: When you respond to unsolicited email or browse computer/technology-related sites you’re at high risk. An example: one of the first offers for an Android version of Skype was actually an on-ramp for malware.
• Web ads: Cybercriminals have been refining “malvertising” for mobilespace. Recently, for example, an ad for an Angry Birds download actually made premium SMS calls and then billed people without their knowledge.
• Entertainment sites: Games and gambling sites are popular destinations for mobile users—and equally popular for purveyors of malware, “phishing” exploits, and phony downloads such as PDFs or browser updates.
• Search engines: As search engines become more widely used in mobilespace, search engine poisoning (SEP) tactics are becoming more prevalent.
Mistake #2. Clicking carelessly.
The mobile webscape is chock full of things to click on. Every web page has clickable links, ads, and offers—and there’s no easy way to tell which are real and which are phony. Even the URL isn’t a reliable indicator of whether the site is genuine. For example, the Yammer mobile app has a different URL than the web-based version, but both are legitimate.
Many “phishing” offers even duplicate the look and feel of legitimate sites—but are in fact designed to trick people into divulging personal information. For instance an employee may receive an email that looks like it’s from PayPal, claiming that their account will be suspended unless they click a link and update their credit card information. But the sensitive information goes directly to identity thieves.
As a tactic, phishing is far more productive than spam in the mobile arena, according to Blue Coat’s research. So what can employees do to protect themselves? First, be informed. Banks, credit card companies, the IRS, and other legitimate institutions will never request personal or sensitive information via email. Second, the worker should call the company directly if in doubt about the authenticity of a communication.
The second issue with careless clicking is the simple fact that the small screen size of smartphones and tablets makes it easier to hit the wrong thing with your finger. Cybercriminals are well aware of this unfortunate human shortcoming and sometimes exploit it by placing a clickable spam, scam, malware, or phishing-related link in close proximity to a legitimate link. So if you have large fingers or you’re just generally impatient, slow down and click with care.
Mistake #3. Entering passwords in public.
I’m not out to steal anyone’s identity. I don’t care to profit from the profligacy of others. But I could jump-start a new career as a cybercriminal just standing in line at the local coffee house.
People don’t seem to notice that when they type their passwords using a mobile device, the characters they type are not only visible to others but in many cases are actually highlighted one by one on the screen. That’s because mobile device screens are small and people want to confirm that they’ve entered the password correctly before they proceed with their transactions. And that’s why “shoulder surfing” is an increasingly popular tactic used by identity thieves.
Perhaps the reason for this breach of security hygiene is that in the desktop world, when you type your password the characters are usually masked by asterisks, or dots, or something similar—so it’s easy not to notice that the paradigm is different in mobilespace. But be assured—others have noticed.
Mistake #4. Downloading apps outside the app store.
Whether employees are using the mobile web for work or recreation, they’re bombarded with offers of free app downloads. Most are from legitimate sources, but others are not. Some are so-called “drive-by download” exploits that are designed to embed viruses, spyware, or malware onto the mobile device.
How can a mobile worker tell the difference? For all practical purposes, they can’t. The URL may look suspicious but may actually be legitimate; it may look legitimate and actually be phony. The best policy for mobile app downloads: avoid downloading from sites that are mobile-only or that are littered with ads. In general, download apps only from trusted app stores.
Mistake #5: Not telling IT.
When employees do encounter suspicious activity out there in mobilespace, they tend to do one of several things: ignore it, avoid it, investigate it, thwart it, or fall victim to it. What they almost never do is report it.
And that is a missed opportunity on several fronts. First, reports of real-world exploits and threats are a tremendous source of intelligence that the IT department could use to strengthen security, improve post-breach response, and prevent further attacks. That same intelligence could also directly benefit mobile users, because when IT can adequately protect against threats it can ease the restrictions on the apps and content users can access, download, and use.
More intelligence from more sources creates a feedback loop—an upward spiral in IT’s ability to protect, safeguard, and ultimately empower workers to do their jobs the way they want. And when employees and contractors are able to safely and quickly choose the best applications, services, devices, data sources, and websites the world has to offer, they are liberated to create, communicate, collaborate, share, and produce.
It’s not difficult to understand why mobile workers don’t report suspicious apps and content and URLs to the IT department. There is typically no process in place for doing so; nor is there typically any indication that IT would welcome such input. Further, all too often there is an undercurrent of distrust between the workforce and the IT department. In many cases employees assume that the role of IT is to block, prohibit, forbid, control, constrain, and exclude. On the other hand, IT can sometimes see employees as irresponsible, sneaky, and untrustworthy.
This must stop. And enlightened enterprises are beginning to realize that security is actually a means of stopping it. The right security technology, implemented the right way, can put an end to the vicious cycle of mutual distrust and transform it into an upward spiral of enablement—where security is no longer only about preventing the unthinkable but also about exploring the possible.