As personal mobile devices (BYOD) are used in business world, leaks from those devices are opening the door to stolen business data and crippling corporate cyberattacks. A compromised smart phone represents a threat not merely to the targeted employee but to the complete company. Information about employees' activities, both on the job and anywhere else, combined with any company-related emails, documents or very sensitive information, can be devastating to an organization, if it gets into the incorrect hands.
When a company allows its employees to sync their corporate calendars and email accounts to their mobile devices, it creates all sorts of risks. The employee phones contain the contact information of all the staff in the organization. Any mobile app that requests access to the employees’ contacts and calendar also gets access to the names and titles of company employees. This information can easily be put to effective use in a phishing attack by a malicious app or hacker.
Many apps monetize their user bases by sharing data with ad networks that combine data with other networks. It’s impossible to know where exactly data is going and whether it’s handled in a secure fashion. All of this means a malicious hacker doesn’t even have to directly access an employee’s phone to attack a company. He can access an ad network that has information from millions of users and go from there.
When, a small group of executives have lunch regularly at a local restaurant. An attacker with access to their geolocation data could easily know this. By placing malware on the lightly defended site hotel site, the attacker is able to compromise the office computer or mobile device of one or more company executives. It’s easy to breach the mobile data using this technique.
So what should enterprises do to combat the threat?
The first step is to get visibility into the mobile environment. The organization needs to know which apps employees are using, what those apps are doing and if they comply with organization’s security policies. Pertaining to instance is there particularly risky file-sharing software you don't want employees to use?
There should be policy in place for managing the use of mobile devices. For instance, if employees are using free versions of apps that are approved by the company but ad-supported, a policy should be enacted that requires employees to upgrade to the paid version to minimize, unsanctioned data in the form of ads doesn’t eliminate the relentless collection of personal and private data.
Subsequently, your organization should instruct employees about the hazards of the applications they download. It's in the best interest to encourage users by arming them with tools and training them to make better choices about which application they download. For example, coach your employees to question applications that ask for permission. There is lots of software that want to gain access to location, connections or camera. Employees no longer have to say certainly automatically. Most applications will continue to work fine if the demand is denied and quick users if an agreement is definitely needed. If an application would not say why it needs access to that is a major red flag.
Finally, all of these areas can be addressed with a good mobile security solution. Any enterprise with no mobile threat protection solution is by definition not aware of what information is leaked, and unable to address the risks which exist in its environment. It is necessary that enterprises include mobile risk protection as part of its overall security strategy in order to safeguard staff privacy and company data from the ever-growing risk of mobile surveillance and data gathering.