Mobile Device Security – The Good, the Bad, and the Ugly for Network Security

In this post, we’ve got some good news and some bad news for you. We also have some very bad news for you. Let’s get through the very bad news first (or, rather, the ugly news), so we can move on to the merely bad news and finally arrive at the good news.

Are you ready? Prepare yourself, because the mobile device findings below are pretty worrisome stuff when it comes to network security.

The Ugly Truth – Your BYOD Policy May Be a Menace

A very recent article in Motherboard brought a disturbing fact to light: T-Mobile, Sprint, and AT&T are indirectly selling mobile device locational data to bounty hunters, which means absolutely anyone can find the location of a phone serviced by these carriers. If you allow your employees to bring and use their own mobile devices at your company (a practice called BYOD, or “Bring Your Own Device”), that means anyone can locate and possibly even steal a phone that holds sensitive data from your company.

Phones and tablets are lost or stolen regularly, and that’s especially concerning when you consider that 85% of organizations now enable BYOD for employees, contractors, customers, or partners, yet only 56% have remote wipe capabilities that can remove sensitive data from the smartphones that connect to their network. (More on that later.)

Physical theft is bad, but today’s cybercriminals don’t even have to go to the bother of stealing phones to access your data. They can rely instead on unsecured Internet of Things (IoT) devices connected to your network, which can give them all the access they want.

Think you don’t have any unexpected IoT hampering your network security? Think again. A May 2018 report from Infoblox found that business networks were riddled with shadow IoT devices (i.e. IoT devices your business hasn’t sanctioned), including FitBits, digital assistants like Google Home or Amazon Alexa, smart TVs, game consoles, and even smart kitchen appliances! (Seriously, people. Kitchen appliances connected to a work network? Truth really is stranger than fiction.)

These shadow IoT devices, often with easy-to-Google passwords, can be hacked and used to access or spy on your network. They can also hijack your network performance if they’re roped into becoming part of a botnet army.

Quick definition: A “botnet army” is a collection of hacked devices (usually unsecured IoT), which, together, are used to amass power for a large-scale cyberattack against another company or website.

A good example of this type of cyberattack is the 2017 event outlined by Verizon, in which connected devices at a university, “everything from light bulbs to vending machines,” were conscripted as part of a botnet army, which slowed or stopped network connectivity on campus for nearly a full day.

Therefore, the ugly truth is that, even if criminals decide not to steal the physical phones that they can easily track down, they can still use phones and connected IoT devices to steal your business’s internet connectivity or gain access to your systems.

In other words: You may want to rethink your BYOD policy, or at least ask for some advice in building up your network security.

A full-service MSP can help you set up policies and protections that are specifically geared toward IoT, which is really important because mysterious smart kitchen appliances or lightbulbs are a liability for your network. It’s critical for your company to ensure you can immediately identify every IoT device that’s connected to your network, so your network security doesn’t end up with unexpected holes.

The Bad News – The Policies You Have in Place Probably Aren’t That Effective

Already have a clear BYOD policy in place that you created to protect your systems and network? That’s pretty awesome. You definitely get kudos for thinking ahead. However, you have to make sure that your employees follow your policy.

According to that 2018 Infloblox study we mentioned earlier, 88% of surveyed IT leaders said their security policy was effective or very effective, yet only 24% of surveyed employees knew whether or not their company had a security policy. That tells us there’s a lot of employees who aren’t following policies, and IT has no idea about the problem.

But how bad could it be? How much does a security policy truly matter? Are your employees actually going to download malware onto their phones?

The short answer is: “Yes. Your employees’ devices may very well get malware, even if your employees are relatively tech-savvy.”

Consider: How many 6-year-olds have you seen playing with their parents’ phones or tablets while sitting in restaurants? Can those 6-year-olds tell if a game they want has malware or not? Would they want a game with malware?

Once again: “Yes.”

According to a TrendMicro report from January 2019, an awful lot of games are actually malware. In fact, the report found that one specific form of spyware, often masquerading as cutely-named games, was downloaded more than 100,000 times from the Google Play store in 2018 alone. The spyware was able to steal social media credentials, user locations, SMS conversations, clipboard items, and call logs.

It’s not like this is an isolated incident either. In 2017, Google removed nearly 2,000 malicious apps per day from the Google Play store. Unfortunately, apps are a leading form of cyberattack because they’re fast to create and tempting to download. If you don’t have a mobile device policy set up at your company, or if you haven’t been enforcing the policy you already have, you may be placing your network security in danger.

But there’s good news. (Hooray!)

The Good News – There Is a Way to Better Secure Your Data

If you’ve been reading the Interplay blog for a while, you already know that the best way to secure your networks from ransomware or other cyberattacks is to:

  • Install patches and upgrades quickly
  • Use unique, complex passwords for each of your accounts(a password manager like Dashlane or LastPass can help with this)
  • Use two-factor authentication for an extra layer of security
  • Use antivirus, firewalls, and business continuity backups

However, there’s also another trick you can use to secure your systems: use Microsoft Office 365 for your email and file storage on the go.

It sounds like a sales pitch, we know, but it’s really not. It’s just plain old good advice.

After all, Office 365 can help you store shared sensitive data on a protected OneDrive account, instead of in the wide range of unsecured file systems your employees would otherwise use. Plus, Office 365 features Advanced Threat Protection (ATP), which can scan emails for known malicious links and block those emails entirely. This feature can be applied to all devices or just to that one employee you have who will click on anything. No matter how you apply ATP, it’s highly likely to help increase your network security.

Another helpful feature in Office 365 is its remote wipe capabilities. You can remove selective company data from BYOD devices with your Office 365 apps installed on them, or you can perform a full wipe, if needed. A selective wipe works if the phone, tablet, or laptop is lost or stolen – and a full wipe is used when the device may have stored sensitive data, like a downloaded file or cached email.

If you’re curious about what else Office 365 can do for your small or mid-sized business, feel free to access our white paper on Office 365. But if you’re not interested, that’s okay too. Remember, we’re not trying to sell you Office 365, we’re just trying to let you know about the latest threats to your network security. And we’re making suggestions for helpful products and services that may combat those threats.

The real key to network security, though, is making sure that you have some sort of security plan in place, that your plan is enforced, and that you have reliable backups available to you when you need them. You should also know where your vulnerabilities lie.

 

Not sure where your company is vulnerable? It’s easy to find out. See if you qualify for a free network security scan from Interplay, the IT services company that’s been protecting Seattle businesses since 2001.