Small Business Mobile Security Threats and Fixes

by Pam Baker

Good news: mobile devices help small businesses be more productive. Bad news: they also help cybercriminals steal your data. We look at new mobile security threats and how to protect your business.

Many people still think that conducting business on a smartphone is safer than using a laptop or a desktop, but that's simply not true. Any computing device that connects to the Internet is subject to cybercrime, but you can't run a business without connecting devices to the Internet. So what’s a mobile security-conscious small business owner to do?

Your best defense against small business mobile security threats: understand the threats and take preventative actions. Experts weigh in on what you need to know about small business mobile security—and what steps you need to take now.

Assessing Small Business Mobile Security Threats

Are mobile security threats really that big a thing?

"The threat level is slightly overestimated, but it is growing," said Paul Kubler, the digital forensics and cybersecurity examiner at LIFARS, a computer device security firm. Notice he said "slightly" overestimated—and growing, so take no comfort.

"It only takes one targeted infection to destroy your privacy, to ruin a company, or to take down a nation," said Jeff Zacuto, product marketing manager for mobile products at Check Point Software, an IT security products provider. "Although infection rates sound low, the threat is quite significant."

And according to Aaron Hanson, senior manager of Norton security products, "Mobile device security threats are very real. In 2014, we detected 9,839 cumulative Android malware variants. The most common infiltration method is malware disguised as an app. In fact, we found 17 percent of Android apps were malware in disguise."

And don’t make the mistake of thinking that iOS devices (iPhones and iPads) pose less of a mobile security threat for your small business.

"While Android ranks as the number one mobile target for hackers, Apple devices are just as desirable. Symantec detected twice as many iOS threats in 2015 compared to 2014," said Hanson.

small business threat protection: malware

Older mobile security threats still exist, of course, and the usual protection methods—including antivirus and anti-malware products—still apply. It's not that new mobile security threats require new protections, but rather that small business owners need to add another layer or two of protections. Consider that the case for time eternal, because cybercriminals always think of new ways to attack.

Typically, the antivirus software you currently use on office desktops has a mobile component that you can load to all mobile devices—usually for no extra fee. If you haven't done that, do it now. If your employees use their personal mobile devices for work, insist that they download this basic protection—and verify it. Don't assume they will just because you told them to.

Darren Guccione, CEO and co-founder of Keeper Security, put it bluntly. "Most people are negligent when it comes to mobile device security. We don't take the same precautions with our mobile devices as we do with our desktops and laptops," he said.

Calling that a serious oversight, Guccione added, "Last year, Arxan Technologies reported (Pdf) that 97 percent of the Android and 87 percent of Apple iOS apps on the top 100 list were hacked. Of the most popular free apps, 80 percent of Android and 75 percent of iOS apps were hacked."

New Mobile Security Threats

Moving beyond the usual mobile security threats—chief among them being mobile apps loaded with malware and connecting to unsecured public Wi-Fi networks—a number of new threats have gained notoriety. These include Remote Access Trojans (RATs) and user credential mimicking.

Understanding Malware: RATs and Trojans

Criminals typically send RATs—the newest strain of which is known as OmniRAT—to a mobile device via text messaging. The text uses convincing language to fool the employee into believing it's a legitimate security tool or app provided the company or other trusted source.

"As the adoption of mobile banking grows, attacks on mobile devices grow as well with RATs becoming the primary tool of attack to gain access to users' online mobile banking accounts," said Oren Kedem, VP of products at BioCatch, a provider of behavioral authentication and malware detection products for Web and mobile applications.

The newest breed of mobile malware tools such as OmniRAT use MMS messages to infect the employees who may be fooled into installing it," he added. "Once Installed these malware applications allow the criminal to engage in RitM (RAT-in-the-Mobile) attacks that include remote tracking and operation of the employee's device. Remote access lets criminals comprise personal information and allows cyber-thieves to submit fraudulent transactions straight from the employee's device."

Those fraudulent transactions may also occur on company credit card, vendor, and bank accounts.

RitM attacks can be adapted to access other company data on the mobile device—or in your company database—through the remote use of a legitimate worker's mobile device. You can expect hackers to use new malware tools to find lots of creative ways to steal company information as well.

Small Business Mobile Security Tips

Kedem offered these mobile device security tips to help you protect your small business from remote access Trojans:

  • Educate employees that they should NOT install non-standard mobile applications—especially from sources outside the app stores.
  • Teach employees not to make any changes on their mobile phone (change settings, download software) at the request of a "trusted source" that they receive through unsolicited email, texts, or phone calls.
  • Instruct your employees to disable the "remember-this-device" feature for applications that hackers might exploit for fraud or data theft. In other words, require employees to authenticate every time they access any company apps or networks.
  • Consult with app providers (e.g. banks) regarding their level of mobile device security protection against malware and remote access attacks in particular.

Outsourcing small business security

Mobile Security Threats: Credentialed User Mimicking

Stealing data or funds through remotely accessing an authenticated employee's mobile device is not the only way criminals can wreak havoc. They can also mimic your user credentials in such precise detail that you—or your IT department—can't tell that it's not the authorized person accessing information.

Cybercriminals build databases on thousands upon thousands of people in such minute detail that they can mimic almost anyone. Where do they get the information on your employees? According to an article in InformationWeek, they buy some of it from legitimate data brokers, but they reap a lot of it from other data breaches or buy it from the breachers.

It doesn't help that marketers collect and store excessive amounts of personal data on customers and prospects for hackers to retrieve later. You can expect data breaches to continue and for the amount of personal data on your employees and company officers to continue to grow as a result.

Criminals use this information to thwart your efforts at identity and access-management by thoroughly impersonating the user—sometimes right down to their fingerprints.

"Contrary to a popular belief, fingerprints are not unique, and out of 5.6 million fingerprints compromised, there can be quite a few people who have fingerprints similar enough to be accepted by the biometric authentication system," said Igor Baikalov, chief scientist for security-intelligence company Securonix, in the aforementioned InformationWeek article.

That means biometrics may not offer your company much protection if hackers obtain the biometric information through a data breach—either of a company or of a government agency—even though the breaches may be completely unrelated to you and your company.

How do you protect your company against such an attack? For now, multifactor authentication techniques are your best bet.

"The best authentication, as the old adage goes, requires something you are, something you have, and something you know," said Tim Erlin, director of IT security and risk strategy at cyberthreat intelligence vendor Tripwire in the aforementioned InformationWeek article.

Stay diligent about mobile device security; all it takes is one slip to leave you, your employees and your company exposed. If you need more help, explore the cybersecurity options that your cellular phone carrier and your current security product vendors offer, and then compare that to what competitors offer. Odds are you can find products and services that precisely fit your needs and budget.

But, if after doing all that, you're still concerned then you might want to also consider cyber security insurance. You can choose from many different policies to offset both your liabilities and your losses.

Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Monday Feb 8th 2016
Mobile Site | Full Site