Remote working is now a fact of life. Last year, it was mainly road warriors using public access WiFi in public spaces and from home to reach corporate systems. More recently, we have seen people increasingly forced to work from home (“WFH”), and all indications are that WFH will become a permanent feature of work life.
The devices used are also changing. Home users tend towards PCs, and road warriors use portable smart devices like tablets, laptops and smartphones. It seems that smart devices are becoming the device of choice, even for some home users.
Part of the reason for this move is Bring Your Own Device (“BYOD”), where the user supplies the equipment. They are comfortable with it, and in many cases already have it. While BYOD reduces capital expenditure, it brings in its wake some serious Cyber Security concerns.
Smartphone vulnerabilities are not new. They have been around for about a decade or so, but are only now becoming a Cyber Security concern as smartphones are increasingly used to access corporate systems.
There are a variety of Cyber Security threats:
- Users might routinely protect desktop computers but don’t see smartphones as needing the same type and level of security.Friends, family members and the users themselves might use Home PCs and smart devices for gaming and access to dubious websites, increasing the threat of malware attacks.
- IP and data theft. Many users download information onto their phones, corporate contact lists, documents, email and attachments, for example. Careless use of Bluetooth can also allow hackers to gain access to smartphones and steal data.Hackers now see smartphones as a rich source of corporate data because of the lower security levels found on them. The number of attacks on smartphones is increasing. Reported attacks doubled between 2017 and 2018.
- When a user leaves the company, or the device is lost or stolen, the data goes with the device. Depending on where the phone ends up, it could be used by hackers or thieves.
It’s not just the Android or IoS operating systems commonly found on smartphones that are a threat. Some apps bring vulnerabilities with them. WhatsApp, for example, was used as a vector to install malware.
Some, particularly the cheaper smartphones are clones of the major manufacturer’s devices and use pirated, re-engineered or old versions of Android. They introduce new vulnerabilities, and because of outdated software, can make secure WiFi and data connections difficult or impossible.
There are even hardware vulnerabilities. Bluetooth, via the BlueBorne exploit, has been used to deliver malicious code to a phone without the user knowing. It allows a hacker to snoop on calls, read messages and deploy ransomware. The worrying bit was that the two Bluetooth devices did not need to be connected. The hack bypassed all authentication and authentication checks and worked in less than ten seconds.
How then do IT manage remote smart devices, in particular smartphones to prevent hackers exploiting vulnerabilities?
The first thing is, of course, to spot vulnerabilities. Don’t panic, most users will not be affected, and anti-malware software will catch most problems.
Most reputable suppliers will tell the world of potential problems and issue OTA fixes to correct the vulnerabilities. There are apps available to protect against malware and to advise of any unusual behaviour.
Run regular malware scans and remove any apps and data you no longer need.
In a corporate environment, IT needs to take control. Remote users must read and sign conditions of use, reinforced each time they connect to the corporate network. It should include:
- Only authorised devices can connect to the corporate network, and must use the corporate VPN client to do so.
- Smartphone users must allow IT to exercise remote management of the device to install anti-malware and spyware software and to reset the phone to factory settings to delete all corporate information if the phone is stolen or lost.
Smartphones are increasingly becoming the access device of chose for many users. Because they are personal devices, often fulfilling both personal and professional needs, making sure that they are secure in both environments is an ongoing and challenging task.