Cyber - The risks of corporate mobile schemes
Cyber threats don't stop at computers and businesses may not know the risks that come with employees having mobile phones. We explore the risks and how to mitigate them.
It seems impossible to think that smartphones have only been a part of our lives for just over a decade.
This technical transformation of society means people are more connected than ever and rarely switch off, in fact in 2018 in the UK people check their phones on average every 12 minutes during their waking day. It's no surprise therefore that companies are more commonly investing in mobile phones for their employees. Whilst this gives employees the ability to work on-the-go it also presents a more pressing problem.
Andrew Kelly, Principal Consultant in Cyber Security, QinetiQ explains "we carry the devices with us everywhere and they are switched on 24/7. Most people keep their mobile with them at all times, so they have access to much more personal data than a desktop computer or even a laptop which are much less portable."
Cyber threats don't stop at computers and businesses may not know the risks that come with employees having mobile phones.
These are just some examples.
Phishing attacks
Some research suggests that users on mobile devices are 18 times more likely to be exposed to phishing than to more traditional malware attacks. This is because phishing emails are often much harder to spot on mobiles which means that even the most vigilant of employees could be tricked into clicking on dangerous links that could compromise a company's security.
Data loss
Data could be leaked from corporate mobile devices through malicious cyber-attacks but also through risks of downloading apps. Apps often request permissions that aren't entirely understood and could in fact put company information at risk.
Andrew explains "mobile apps can be updated extremely frequently, usually much more frequently than desktop/laptop applications. Some apps are updated daily. This means that an app that seems innocuous one week could cause concern the following week."
The risks of these apps can go as far accessing information you wouldn't want them to, sharing information data with unknown partners and even physically draining batteries.
Unsecure WiFi networks
Working remotely means that employees often have to rely on public WiFi to stay connected. These connections can be risky, they're quite often unsecure and pose threats. People could use the WiFi connections to install malicious software or to intercept company data.
Physical vulnerabilities
Corporate mobiles provide great benefits to businesses in allowing employees to be more readily available and work on-the-go. However, they also act as a potential window into the company their owners work for that could easily be lost or stolen. As well as cyber risks, sensitive or personal information could be seen by prying eyes in public places and transport.
Reducing the risks
The risks of having an insecure corporate mobile scheme will vary for every organisation. Andrew describes example risks including sensitive intellectual property could be lost to competitors, fraudulent billing or intruders being able to access sites more easily.
Furthermore, Andrew explains "the way that adversaries such as hackers can exploit insecure mobile apps and devices is constantly evolving and increasingly creative. The current situation makes this even more of a challenge because people are more reliant on mobile contact than ever and new apps are becoming popular."
However, there are always actions that can be taken to help reduce the risks. Individuals can take easy measures to reduce the risks themselves. These include:
- Not using corporate mobiles more than necessary for personal matters
- Have a secure and unique password
- Avoid installing or clicking on anything that is not from a known and trusted source.
It's also an important piece of security maintenance to keep up-to-date with all software and app updates. Andrew tells us that updates act a bit like a vaccination and stops attackers exploiting system weaknesses. Organisations can also take actions to protect themselves.
Firstly they should stay informed on and research cyber threats. Andrew's team test mobile apps security and he explains that when armed with this knowledge companies are able to adapt their approach to certain apps to improve security - this could be from encouraging and working with the developers to make adaptations to tracking app use or even removing them.
Secondly, it's important for employees using the phones to be educated in cyber security. By making sure that the organisation has a clear company policy on corporate mobile use that everyone is aware of you will reduce the chances of a cyber-breach.
This can be helped with training employees, ensuring they understand best practice and cyber risks. Prevention is always better than having to deal with the fallout of a cyber-attack and having to make a claim against your insurance policy. Rigid cyber security plans are essential, here at Zurich we are keen support you in mitigating risks of cyber breaches wherever possible and have our own experts in house to do so.
If you want any support on this please do speak to your usual Zurich contact.
