Rogue devices. It’s a term that sounds very dramatic, right? In the cybersecurity space, however, a rogue device is simply one that doesn’t match up with the security protocols placed on a company’s network. In a world where we are increasingly interconnected, most modern ‘rogue devices’ are, in fact, our mobiles, tablets, and other personal devices, piggybacking off of company networks.
Because of this, they can quickly become a way for hackers and other malicious parties to bypass firewalls and other important company safety protocols, making them something of a headache for IT departments everywhere, especially as it becomes more common for companies to expect employees to use personal devices for company matters. Cybercrime and mobiles are a growing threat pair, so let’s take a look.
Rise in Cybercrime
While ‘cybercrime’ sounds like something straight out of a videogame, it’s a very real threat to both individuals and modern businesses. And one that’s growing exponentially as we adjust to a work environment that includes remote teams spread across the globe, hybrid work plans, and, as we mentioned, the use of employees’ personal assets in the work environment.
There’s a perception among the general public that mobile devices are ‘safer’ from security instructions than PCs or laptops. While it was once true that the different OSs associated with mobile devices- mostly iOS or Android- did not have the same security risks as then more prolific Windows, that time is long past. Nor is cybersecurity just about avoiding viruses, which are still less common on these platforms than on PCs and laptops. Cybercriminals are well aware that huge swathes of the market now belong to mobile devices, and that they are the primary internet access point for most people daily. There can be no surprise they’re now a common hacking vector.
Additionally, the concept of a mobile workforce has become the business norm. People expect workers to work from anywhere, keep in touch on the road, and stay productive no matter where they are. They’re doing that through mobile devices, often without so much as a VPN to help, and often still have full access to company networks through these devices. The need to protect sensitive data doesn’t fall away just because you aren’t physically at a desk. Yet most businesses are not taking notice of the risk of cyberattacks through smartphones and tablets, as well as the wider Internet of Things.
Bring Your Own Device: Bad Idea
These devices were once labeled ‘rogue’ on company networks because they were unwelcome in the office. Today, most companies expect the use of personal devices as a given, creating an interesting blur between private and corporate spheres. What risks come with this blurring of boundaries?
- Unsecured networks: Most users access company networks with precisely 0 thought to where they are doing it. Do local coffee shops have free wifi? At the airport? While collecting the kids? Little to no consideration is given to the safety of these networks or the sensitivity of the data being accessed.
- Data leaks: Do you know what security permissions each app on your phone has? If you do, congratulations- you’re in a decided minority!
- Phishing: Phishing is not limited to mobiles, of course, but with more users accessing corporate emails through personal devices, the frequency of falling for these scams is on the rise.
- Spoofing: It’s common for hackers to set up ‘free wifi’ points that outlook legit, but require a ‘free signup’ to use. Blissfully oblivious, users use an email and password they have in common circulation. And boom, a hacker’s paradise is created.
- Spyware: The use of spyware on mobiles is rising, allowing data to be gathered and sent to third parties.
- Faulty cryptography: Caused by too much haste in the app development cycle, or where encryption is strong but back doors aren’t closed, this means the app deploys with security vulnerabilities. Then users either fail to update as they are fixed, or the developer doesn’t fix them at all.
- Session Handling: Lastly, apps can be built so that users don’t authenticate themselves in every session. It’s faster for the user, but hackers can easily exploit this to masquerade as the legitimate user.
Not Just A People Problem
Of course, this is not just about users or user behavior. Many people show a reluctance to use personal devices in the workplace, but there’s a heavy expectation from companies to do so, mostly for profit-hungry reasons. Surveys have repeatedly shown us that a large proportion of businesses are happy to sacrifice security for both convenience and ‘business performance’- read that one as ‘more profit because we don’t have to supply devices’.
Likewise, workplaces commonly don’t educate staff about the risks of network access through mobiles. Infrastructure goes un-upgraded, conversations around how sophisticated phishing has got aren’t had, and the need for cybersecurity in the workplace is simply never raised among staff nor treated as a priority by management. There’s a wealth of convenient, scalable security products out there, but it doesn’t help to implement them after the issue occurs!
Identity and Access Management for personal mobile devices in the workplace should be a priority for all companies, but it simply isn’t.
Running on a business VPN, for example, should be a standard protocol. Yes, it’s essential that staff members can work from anywhere, but you still need their point of entry to your network to be safe and protected. Access protection is a must.
It is also smart to enact strong security protocols around access. Not every user needs to access your enterprise applications and most sensitive data at will. With a strong security solution in hand, you can choose who has access to what, creating a safer and more streamlined working space.
And when user mobile behavior is tracked, the focus is typically placed on low-priority issues such as whether they’re accessing social media on company time. While time management can matter, it’s critical your first level of care is ensuring they are using security features like multi-factor authentication and brute force attack protection while using company resources.
As the risk of cybercrime grows, mobiles in the business environment are set to become even more of a focus for hackers and other malicious entities. It’s time for businesses- and employees- to wise up to staying safe while working remotely, and a bigger focus on closing the loopholes left by mobile access to business infrastructure.