Remote work is the new normal for many organizations. And as more employees rely on their mobile devices to stay connected and get work done, the need for mobile security becomes even greater.
Malware infections and unsecured access to sensitive company data are just some of the threats you need to consider. And regardless of who owns the mobile device—whether the organization or the employee—there’s a greater risk than before of an infected device connecting to your corporate network and causing a widespread infection.
Limited Visibility Creates Unlimited Challenges
Employees working from home in large numbers increases the risk the personal devices are used to access your corporate network or assets. This can mean limited visibility into the use of these mobile devices, let alone control.
As a result, you must rely on your employees themselves for critical steps like keeping devices up to date. Unfortunately, if they don’t update their operating system and applications regularly, they leave the window open for bad actors to exploit vulnerabilities.
Mobile Threats Are on the Rise
Malware targeting mobile devices is a growing problem. A 2019 Check Point survey found that nearly a third of surveyed businesses were impacted by threats related to mobile devices.
Additionally, McAfee researchers found that total mobile malware detections grew from about 25 million in the first quarter of 2018 to more than 35 million in the fourth quarter of 2019.
Biggest Mobile Device Threats
- Create a data classification system to help your workforce identify sensitive data.
- Implement user policies that restrict the access of sensitive data from unapproved apps, as well as restrict the sharing of confidential information outside the organization.
- Consider using data protection tools to restrict how data is shared and used.
Because of the COVID-19 pandemic, public places like coffee shops are closed almost everywhere, so you don’t have to worry much about public Wi-Fi at the moment. But even a home Wi-Fi connection may not be secure due to improper configuration or outdated security protocols.
An enterprise-class virtual private network (VPN) is the best way to provide a secure, encrypted connection. Restrict or forbid access to critical assets for users working without a VPN session, and segment your network so you can treat other traffic as guest access.
Phishing and Social Engineering
Phishing is a bigger threat on a mobile device than on a computer because it’s harder to spot phishing websites on mobile browsers. Mobile users also can’t take common security precautions such as hovering over a link or sender’s address to identify a red flag.
Awareness training is a good first line of defense against phishing. Educate your workforce on the increased risks of phishing and social engineering when using mobile devices.
Other Best Practices to Implement for Your Mobile Workforce
24x7 Network Monitoring
Monitoring your network 24x7 is critical to your ability to respond to threats effectively. If a mobile device becomes compromised, you need to identify the problem quickly.
Around-the-clock monitoring is even more important when many employees work from home. They often establish a more flexible work schedule based around family needs, which means they may access your network and data anytime, day or night.
Consider implementing a managed device program and requiring employees to enroll their personal devices. This enables you to better control what corporate data they can access and how, helps ensure they keep devices up to date, and helps address security risks like stolen or lost devices.
Additionally, if you have a managed detection and response provider, take advantage of the vendor’s endpoint agent to gain visibility into your remote workforce.
To protect against compromised user credentials, use multifactor authentication (MFA) as much as possible. Don’t use it just for your applications, but also for your VPN, intranet, and any other system your workforce may access remotely.
For increased protection, consider a solution that helps you quickly identify credential theft, so you can require password resetting before a bad actor takes over an employee’s account.
Cloud infrastructure monitoring: Your mobile employees likely rely on cloud-based applications.
While enterprise-class cloud applications have built-in security, it’s not enough to protect you from a data breach.
Monitor your cloud workloads and applications for security risks. Ensure that your data-use policies also apply to cloud apps, and reinforce those policies just like you would for on-premises data.
Create mobile device policies: Before you allow your mobile workforce to use their personal devices, create policies to minimize your biggest risks.
Here are some questions to address:
- What type of work-related activities will you allow on mobile devices?
- What type of data can employees access on their devices? Do you a have data-classification policy, or will you create one?
- How will you enforce security requirements, such as regular patching?
- What are the alternatives for employees who can’t meet the security requirements?