Mobile devices are increasingly popular vectors for cybercriminals targeting the enterprise. How to tell when a smartphone may be under attack.
It’s easier than ever to use smartphones as go-to devices for accessing sensitive data and critical apps. Unfortunately, it’s also easier for cybercriminals to take advantage of them.
“We’re starting to see public indications that mobile devices are an amazing vector to attack,” says Yair Amit, CTO and cofounder of mobile defense company SkyCure. “More and more attacks target data on these devices: email, chat, credentials to other services.”
Amit explains how smartphones are helpful for productivity but double as “ideal tracking devices” for bad guys as people rely more heavily on them.
“If I compromise your devices, I can steal data and credentials, but I can also monitor where you go, whom you meet with, why you meet with them, and what you say,” he continues.
Mike Murray, VP of security research and response for Lookout, emphasizes the shift in cyberattacks to mobile devices among enterprise users — ironically, because of security measures already in place.
“Until now, general attacks in the enterprise were on computers,” he explains. “Because of the rise in two-factor authentication, and because of two-factor authentication via phone, the phone has become part of the cyber kill chain.”
If a hacker wants privileges within an organization, or their VPN, at some point he or she will have to compromise an employee’s phone.
The severity of business risk varies from victim to victim, Murray says. If an entry-level human resources employee says their phone is acting strange, it may spark less concern than if the same complaint came from a high-level exec who was recently on a major assignment overseas.
“The risk profile is less about behavior than about why the behavior is likely,” Murray explains.
Businesses face several challenges when it comes to strengthening their mobile security. Employees bring several types of devices, powered by multiple carriers, and running many versions of different mobile operating systems.
Unlike PCs, corporate mobile phones often double as personal devices. BYOD policies complicate security because employees are the owners, says Amit. Many times, businesses will implement safeguards that fail because employees simply don’t like them.
Murray also acknowledges a mindset problem. Many people don’t yet realize the huge problem mobile security presents to the business.
“We think of the phone as an extension of the Motorola flip phone, not realizing it’s the most powerful digital access device that we have,” he says. If more organizations would recognize the need to take mobile threats seriously, it would change the enterprise security posture.
Here are some key red flags that could indicate a smartphone has been hacked.
Kelly is an associate editor for InformationWeek. She most recently reported on financial tech for Insurance & Technology, before which she was a staff writer for InformationWeek and InformationWeek Education. When she’s not catching up on the latest in tech, Kelly enjoys … View Full Bio