Since they became a mass market product about a decade ago, smartphones have rapidly grown to be the primary computing device for the majority of the world’s Internet-connected population. But while they (with the exception of the BlackBerry) were initially considered a consumer gadget that made it easier for people to stay in touch with friends and family, the smartphone is increasingly seen as a tool of business. It’s not surprising though if you think about the connectivity, convenience, and functionality smartphones provide when compared to laptops and desktop computers. Employees can access the company network irrespective of where in the world they are. This slashes travel costs and improves staff work-life balance. But there is a drawback: smartphones add stress to your already overburdened enterprise security problems.
Hesitation, then embrace
Smartphones were at first viewed with cynicism by business leaders. Managers thought they were distracting. There were legitimate concerns that users would have a strong urge to constantly check their social media and personal email accounts. They were considered detrimental to worker productivity. Those perceptions have gradually given way to pragmatism and a recognition of the tremendous business potential smartphones possess.
With this change in stance, smartphones are rapidly transforming the workplace. Enterprises now consider them vital in enhancing connectivity, facilitating telecommuting, and raising overall employee productivity. Nevertheless, the adoption of smartphones in the work environment hasn’t been all positive.
New risks
Smartphones have introduced new security risks while exacerbating some older ones. Working in an inviting café over a delicious cappuccino may seem like the stuff of dreams. However, the free public WiFi provided by the café leaves enterprise users vulnerable to man-in-the-middle attacks, packet sniffing, and the inadvertent exposure of sensitive data including passwords.
Modern enterprises cannot completely rid their working environment of the smartphone. Instead, they must recognize the risks of smartphone enterprise security as the first step toward establishing the controls needed to keep business systems and data, safe and secure. Here’s a look at the main dangers of smartphone use for work.
Bring your own device policies
Smartphone business use has coincided with the mainstreaming of the bring your own device (BYOD) trend. Many employees now leverage their employer’s BYOD policy to connect to enterprise applications using their personal mobile devices. Yet, it’s not unusual for BYOD smartphone users to disregard security protocols and procedures. They’ll install applications that the Android, iOS, or Windows app stores haven’t sanctioned. This increases the likelihood of allowing malware on their phones and subsequently spreading it to the rest of the network. It’s a substantial smartphone enterprise security risk. While mobile malware was relatively rare, a McAfee Labs report showed they were a fast-growing segment of cyberattacks with more than 1.5 million incidents in 2017. Infected smartphones would endanger the company’s technology infrastructure.
Outdated devices
Enterprise-owned smartphones may be more easily secured from rogue applications when compared to BYOD devices. Nevertheless, business’ phones are more prone to being used for long than necessary when compared to personal smartphones (in large part because personal smartphones are a status symbol).
One survey found that nearly two in three large businesses used smartphones that were two-years-old or older. Two years is a long time in the tech world. Within that seemingly short time frame, numerous new threats and vulnerabilities will have been discovered. Using outdated smartphones therefore increases the risk of the devices being unequipped with the most current security controls and patches.
Not enterprise native
Given that the overwhelming majority of smartphone models aren’t designed with enterprise use in mind, they are not built from the ground up with a corporate risk mitigation context. IT teams are therefore not always equipped with the knowledge needed to support and secure these devices.
Large storage capacity and fast internet
The latest high-end smartphone’s storage space now rivals that of the average laptop and desktop computer. Modern smartphones have tens or hundreds of gigabytes of internal storage. One can expand this internal storage even further by hundreds more gigabytes via a microSD card.
A rogue employee could easily dump large volumes of sensitive company information onto their smartphone and confidently walk out of the business premises without raising suspicion. Add to that the impressive speeds of mobile broadband today and even uploading such huge volumes of data can be done in seconds.
Users not logging out
Many users don’t log out of mobile applications they use nor do they password-protect their smartphones. So if a third party gains physical access to the phone, they could initiate processes or transactions on enterprise applications.
This is especially disconcerting because many organizations now have mobile versions (or mobile friendly web portals) of their main enterprise applications that provide virtually the same functionality as their corresponding desktop application.
Smartphone enterprise security risk mitigation techniques
Now that we know what the main smartphone enterprise security risks are, how do organizations mitigate against them? Here are a couple of practical tips.
Replace, upgrade, and patch phones
Replace outdated smartphones. For existing phones, upgrade the OS as soon as a new version becomes available. Apply security patches regularly and quickly. Install a reputable antivirus software on any smartphone that connects to the corporate network. Complement the antivirus with a malware detection tool such as the built-in Google Play Protect system on Android devices.
IT teams should also keep an eye on bloatware and unauthorized applications on smartphones connecting to their network. Bloatware may seem harmless but hackers can use such applications to launch a cyberattack.
Enterprise mobility management system
Ideally, companies should develop or acquire an enterprise mobility management (EMM) system. This is an application that centrally monitors all security aspects of mobile devices on the network. A user-friendly dashboard would provide quick notification if there is a smartphone that currently doesn’t comply with security policies.
Biometric security and VPNs
Given how easy it is for one to lose their smartphone, biometric security will come in handy. Fingerprint readers, face recognition, iris scanners, and voice recognition will help keep the content of the phone hidden from unauthorized persons in the event that the device falls into the wrong hands.
Businesses should establish a virtual private network. This ensures even when employees use public WiFi, the VPN encrypts their data thus protecting it from malicious third parties.
Risk assessment and root-cause analysis
Businesses should perform a thorough root-cause analysis of past breaches with detailed explanation of lessons learnt to prevent similar incidents in future. This should be supported by an annual smartphone enterprise security risk assessment that examines the mobile risks the organization is exposed to and whether they are adequately mitigated against. Basic steps like password protection and two-factor authentication are paramount.
Employee education
Last but arguably most important is the need to educate employees on cybersecurity. Staff must know what their responsibilities are in the protection of company systems and data especially in their use of mobile phones. They must be aware of the latest scams and how they can avoid falling victim to them.
Striking the right balance
Smartphones are here for the long haul. What businesses should strive for is a healthy balance between leveraging the productivity benefits of smartphones and managing the security vulnerabilities they introduce.
Featured image: Shutterstock
