As part of National Cyber Security Awareness Month, Rapid7 is publishing a series of easily emailed awareness tips. Last week, CSO shared the letter addressing the topic of phishing. Today, the topic is BYOD and mobile risk.
Note: For the previous letter on phishing, see this article.
"There has been an exponential growth in mobile malware these past few years, as smartphone and tablet adoption takes off," Saj Sahay, the director of mobile security at Rapid7 told CSO.
"Cybercriminals are increasingly targeting mobile devices, not only because of the growing use, but because with the hundreds of device choices available it's a herculean task for most organizations to understand their risks. User involvement in keeping their devices secure is the best way to mitigate mobile device risk."
What follows is a brief primer of BYOD and mobile risk, which can be easily copied and freely shared within the organization.
What is BYOD (Bring Your Own Device)?
These days the majority of people in the workplace own either a smartphone (like an iPhone, Android phone Windows mobile) or a tablet device, or in many cases, both. Frequently these mobile devices are used for all aspects of your personal AND professional life, for example if you have your company email on your mobile phone, or take notes during meetings on your tablet. This is BYOD: mobile devices that you bought for your own use, through which you also access work-related data.
It's easy to take this for granted and not consider the confidential nature of the information you're accessing on these devices, but even seemingly insignificant information may provide an attacker with an opportunity. Given that so much company information is either stored or accessible through our mobile devices, it is very important to keep these devices secure. The good news is that it's really not that hard to do. Below we're identified a few simple steps that will help you protect your personal and company-confidential information from being accessed and exploited by strangers.
Let's go through some of the security issues with BYOD, and learn the simple actions we can take to help protect our devices from harm.
Threat #1 -- Lost or Stolen Mobile Devices
More than 1 in 3 mobile devices are either stolen or lost by their original owner. In fact, stealing smartphones is the #1 crime in New York City! Not only does the smartphone have resell value, but the value of the data accessible from the device can sometimes exceed the resell value of the device. Just think how valuable your banking information and account passwords stored on the device can be to a thief!
How Can You Protect Yourself?
First, make sure to password lock your device! Unfortunately, less that 40% of users enable the passwords on their mobile devices, and they say the biggest reason is that it's too much of a hassle, but it's actually very quick and easy to do and makes a huge difference in terms of protecting your device. The whole point of a password is to keep untrustworthy people out of your device. To enable a password, go to the Settings in your phone. If you can't easily figure out how to do it, your IT team will probably be happy to help!
Second, enable the "Find Your Device" feature available on most of the major Operating Systems, like Apple's Find My iPhone. If your device is ever misplaced, you can sign into Apple's iCloud and see exactly where your device is. You can also wipe the device remotely if it's in a location that you don't recognize or trust, so your confidential information is not compromised.
Threat #2 -- Untrustworthy Apps
With more than 100 billion mobile apps downloaded since 2008, its no wonder that 4 out every 5 minutes we spend on mobile devices is on an app. Criminals who aim to steal your data are not unaware of this trend. For example, 97% of malware (malicious software) on Android smartphones is from apps that were downloaded from untrusted app stores.
These apps can look perfectly legitimate, but are usually loaded with malicious functions and once downloaded, expose the device owner to severe risk, sometimes even leading to the complete loss of control of the device to the attacker. A good example is Bad Pigs, which was a malware-laden app found earlier this year masquerading as the popular "Bad Piggies" game. Could you tell them apart in the link provided?
How Can You Protect Yourself?
Only download apps from trusted marketplaces, like Apple's iTunes and Android's Google Play stores. The qualification and filtration processes for apps to be included on these officially sanctioned marketplaces will significantly minimize any chance of your device being infected by malware. There are more than 2 million apps available between Apple's, Google's and Microsoft's app stores, so you'll never have to worry about finding the ones that suit your needs!
Threat #3 -- Unpatched Mobile Devices
No software is perfect, and the stuff on your phone is no exception. The problem is that the flaws can often create opportunities for attackers to exploit and take over your device. This is why the software makers often release multiple versions in quick succession (as with the recent iOS 7, iOS 7.01 and iOS 7.02 releases).
This is called "Patching" and the responsibility for doing it on your mobile devices lies primarily with you. Less than 20% of devices in the US are updated at any time, resulting in 49% of Android and 18% of iOS devices containing at least one high severity vulnerability that is waiting to be exploited.
How Can You Protect Yourself?
It is crucial that you update the software on your phone whenever new versions are released. You can check by going to the Settings menu for your device, and looking up if there are any Systems Updates available. This simple step is by far the best way to eliminate mobile device risk, but so few people actually complete updates on a timely manner. Once the updated is completed, you can be sure that hackers cannot exploit older vulnerabilities on your device to gain access to your confidential information!
All the recommended actions are simple in nature, and don't take too much time to execute. By completing these actions, you will be able to rest comfortably knowing that you have minimized the risk of your mobile device being compromised by someone wanting to do you harm.