In 2022, almost 75% of US employees work in a hybrid environment. This means they split their time between their office and remote locations of their choice. Commonly, people work from home, but they can also work in cafes, libraries, restaurants, and other public places.
The flexibility of hybrid work holds great appeal to many people. It’s often considered a workplace perk, and research suggests that people who work in a hybrid environment are more engaged.
However, for all the benefits of hybrid work, there are also security concerns that businesses need to address.
In the office environment, employee devices are protected by the corporate network. However, as employees move from place to place, their smartphones are exposed to a number of threat vectors – any of which could lead to a corporate data breach or malware attack.
Given these risks, companies need to have a strategy in place to enhance mobile device security. This starts with understanding the major security threats targeting smartphones, which we’ll explore in more detail below.
You’ve undoubtedly heard of phishing, but what about SMS-ishing? SMS-ishing is a type of social engineering attack aimed specifically at smartphone users. These attacks take the form of a text message, where an attacker poses as a trusted source, like a well-known brand, health organisation, bank or even a colleague.
The text will contain a link to a fake website, where the victim will be encouraged to share sensitive information, such as an email and password, financial data or protected health information.
While phishing attacks often end up in junk folders or are caught by spam filters, SMS-ishing attacks have a high delivery rate. They’re also on the rise, and research indicates that mobile phishing attacks increased over three times in the last year.
Unfortunately, it’s difficult to prevent attackers from sending texts to your employees – but you can help your people identify these attacks and report them.
We advise conducting regular security awareness training, where you educate your people on common security threats like phishing and SMS-ishing. To enhance the effectiveness of your training, make sure that it’s not just a one-off, tick box exercise. Consider hosting training sessions on a monthly or bi-monthly basis.
You could also share a weekly or monthly newsletter with your employees on the latest attack types to watch out for.
If you’re not sure how to get started with security training, reach out to us. We can help you implement a thorough, engaging cybersecurity program that improves employee awareness and understanding.
Malicious Applications Riddled With Malware
Applications are a huge part of the smartphone experience. However, not all applications are benign.
Increasingly, we’re seeing hackers create fraudulent applications. These applications masquerade as legitimate apps, often imitating well-known brands and logos. However, unlike real apps, they are riddled with malware.
When a victim inadvertently downloads a malicious app, their device will become infected with either ransomware, spyware or a virus. The victim might be locked out of their device immediately. In more advanced attacks, the malware won’t launch until the victim has connected their device to the corporate network, where the malware can cause widespread damage.
To protect against these attacks, employee awareness training is valuable. You should encourage your employees to only download applications from reputable app stores like Google Play and Apple’s App Store.
They should also cautiously review apps before clicking the download button. For example, if an app has zero reviews, this should be noted as suspicious.
If your employees use company-owned mobile devices, you may also want to deploy a mobile device management (MDM) solution. These solutions give you granular visibility and control over how employees use their phones. You can control what applications and websites they use, what data they share and much more.
While MDM is a solid solution for company devices, it’s not suitable for employee-owned phones as it could be seen as an infringement of privacy.
Network Spoofing and Public WiFi
Network spoofing is a type of cyber attack involving a hacker creating a fake WiFi spot in a public space with high traffic, like a library or cafe. The fake WiFi spot will often mimic the name of a specific location nearby.
For example, if the spoofed spot is near a Starbucks, it might have the name “Starbuckz” to dupe people into clicking on it.
When someone signs up for an account with the fake WiFi spot, the attacker will harvest their personal details, including their email address and password. If the WiFi spot is “pay to use”, the hacker can also steal their financial information.
It can be difficult to stop your employees from using public WiFi spots. However, you can help them keep an eye out for spoofed WiFi spots, so they don’t fall victim. As we’ve mentioned already, knowledge is power – so educating your employees on network spoofing is your best defense.
Improve Your Mobile Defenses. Schedule an IT Security Audit Today!
Cloudadvize can work with your Dallas-Fort Worth business to improve your mobile security defenses. We’ll do a full audit of your current protections and make recommendations for any weak areas.
Contact Cloudavize today for a free consultation to get started.