Many people still think that conducting business on a smartphone is safer than using a laptop or a desktop, but that's simply not true. Any computing device that connects to the Internet is subject to cybercrime, but you can't run a business without connecting devices to the Internet. So what’s a mobile security-conscious small business owner to do?
Your best defense against small business mobile security threats: understand the threats and take preventative actions. Experts weigh in on what you need to know about small business mobile security—and what steps you need to take now.
Assessing Small Business Mobile Security Threats
Are mobile security threats really that big a thing?
"The threat level is slightly overestimated, but it is growing," said Paul Kubler, the digital forensics and cybersecurity examiner at LIFARS, a computer device security firm. Notice he said "slightly" overestimated—and growing, so take no comfort.
"It only takes one targeted infection to destroy your privacy, to ruin a company, or to take down a nation," said Jeff Zacuto, product marketing manager for mobile products at Check Point Software, an IT security products provider. "Although infection rates sound low, the threat is quite significant."
And according to Aaron Hanson, senior manager of Norton security products, "Mobile device security threats are very real. In 2014, we detected 9,839 cumulative Android malware variants. The most common infiltration method is malware disguised as an app. In fact, we found 17 percent of Android apps were malware in disguise."
And don’t make the mistake of thinking that iOS devices (iPhones and iPads) pose less of a mobile security threat for your small business.
"While Android ranks as the number one mobile target for hackers, Apple devices are just as desirable. Symantec detected twice as many iOS threats in 2015 compared to 2014," said Hanson.
Older mobile security threats still exist, of course, and the usual protection methods—including antivirus and anti-malware products—still apply. It's not that new mobile security threats require new protections, but rather that small business owners need to add another layer or two of protections. Consider that the case for time eternal, because cybercriminals always think of new ways to attack.
Typically, the antivirus software you currently use on office desktops has a mobile component that you can load to all mobile devices—usually for no extra fee. If you haven't done that, do it now. If your employees use their personal mobile devices for work, insist that they download this basic protection—and verify it. Don't assume they will just because you told them to.
Darren Guccione, CEO and co-founder of Keeper Security, put it bluntly. "Most people are negligent when it comes to mobile device security. We don't take the same precautions with our mobile devices as we do with our desktops and laptops," he said.
Calling that a serious oversight, Guccione added, "Last year, Arxan Technologies reported (Pdf) that 97 percent of the Android and 87 percent of Apple iOS apps on the top 100 list were hacked. Of the most popular free apps, 80 percent of Android and 75 percent of iOS apps were hacked."
New Mobile Security Threats
Moving beyond the usual mobile security threats—chief among them being mobile apps loaded with malware and connecting to unsecured public Wi-Fi networks—a number of new threats have gained notoriety. These include Remote Access Trojans (RATs) and user credential mimicking.
Understanding Malware: RATs and Trojans
Criminals typically send RATs—the newest strain of which is known as OmniRAT—to a mobile device via text messaging. The text uses convincing language to fool the employee into believing it's a legitimate security tool or app provided the company or other trusted source.
"As the adoption of mobile banking grows, attacks on mobile devices grow as well with RATs becoming the primary tool of attack to gain access to users' online mobile banking accounts," said Oren Kedem, VP of products at BioCatch, a provider of behavioral authentication and malware detection products for Web and mobile applications.
The newest breed of mobile malware tools such as OmniRAT use MMS messages to infect the employees who may be fooled into installing it," he added. "Once Installed these malware applications allow the criminal to engage in RitM (RAT-in-the-Mobile) attacks that include remote tracking and operation of the employee's device. Remote access lets criminals comprise personal information and allows cyber-thieves to submit fraudulent transactions straight from the employee's device."
Those fraudulent transactions may also occur on company credit card, vendor, and bank accounts.
RitM attacks can be adapted to access other company data on the mobile device—or in your company database—through the remote use of a legitimate worker's mobile device. You can expect hackers to use new malware tools to find lots of creative ways to steal company information as well.