Mobile users are able to connect to the Internet from virtually anywhere, which is great for productivity but also poses significant security risks for enterprises. When employees use unsecured public hotspots, computer-to-computer access points, file sharing or peer-to-peer protocols, their login credentials and corporate data can be compromised.
Here’s a look at seven mobile security threats as identified by Umbrella Security Labs and the ins and outs of how to address the risk
1. Untrusted Networks
Most users are oblivious to the risk associated with connecting to unsecured Wi-Fi networks. Public hotspots often have no security and can be easily compromised. In both scenarios, criminals can eavesdrop on communications or steal login credentials.
To ensure private company data is protected when remote workers are accessing it, all communications, regardless of app, protocol, or port, should be encrypted. Today this can be achieved using virtual private networks (VPN) to securely route all traffic through the corporate network. Most VPNs, however, are currently only compatible only with laptops, leaving phones and mobile devices unprotected, and the connection comes at a cost to both speed and performance.
2. Performance vs. Security
While VPNs add effective security, backhauling traffic from all devices through a security appliance on the corporate network creates a tremendous bottleneck and introduces latency for the end user. Unfortunately, it isn’t feasible for network administrators to install VPN appliances at every site, so users face a tradeoff between the speed of their connections and the security of company information. Slower connections mean your users are going to disable or work around VPN security.
In addition to educating users on the importance of adhering to security policies, enterprises can ensure greater compliance by using cloud security solutions that do not introduce latency for mobile workers.
3. Cloud Computing
The cloud enables employees to access resources they need by connecting directly to Salesforce, Basecamp, Google Drive, or other cloud-based services. They can access the data and applications they need without connecting to corporate network—or its security controls.
IT departments can regain control by placing security in the cloud using the DNS infrastructure, so that users are automatically protected when they access cloud resources.
Many employees using their personal smartphones and tablets to access company resources are still doing so outside of the control of IT departments. Unlike with corporate-owned devices, partially disabling functionality of the users own device, or requiring the use of secure browsing apps is not always feasible. A more transparent and practical approach uses the Internet to apply security controls and enforce policies when users are working from personal devices.
Today, employees are checking email, accessing data and writing code from anyplace they find time to check their smartphone, at all times of day. Maintaining security outside the corporate network in airports, hotels or at home is extremely difficult on either personal or company-issued devices.
Location-aware policy enforcement can recognize when devices leave the corporate network and turn off all or most content filtering, while still keeping security protections on. This approach enables organizations to balance network security and user freedom.
6. Login Credentials
With so many user accounts and passwords to remember, employees are likely to reuse the same set of credentials all over the Internet. This practice exposes corporate login credentials to phishing and spear phishing attacks.
Single-sign on and two-factor authentication can help reduce the risk, but these approaches are costly and complex to implement and manage. While end user education on password hygiene and not clicking on email links is valuable, it is not infallible. Using web security that prevents users from accessing malicious sites when they click on a phishing URL and encrypting all data over untrusted networks are better alternatives.
7. Non-Web Attacks
Attackers are now using non-web and email protocols (e.g. P2P, IRC, DNS tunnels) and ports to bypass traditional network security mechanisms.Using newer security solutions that can enforce security policies and controls on any application, protocol or port can provide better coverage than web and e-mail centric protection products can.
To protect mobile endpoints, security must work the way employees work: anytime, anywhere, and on any device. One way to achieve this is to integrate security with the infinitely scalable, highly available architecture of the Internet itself.