Share This:

Last week, we had an overview of the increasing concerns and security challenges surrounding mobile devices. This week, we continue the conversation about mobile devices with Eric O’Neill. Eric is a former FBI counterterrorism and counterintelligence operative, cybersecurity keynote speaker, and founder of The Georgetown Group and Nexasure AI.

Managed service providers (MSPs) and others often overlook mobile devices because they can easily be dismissed as “personal devices.” Especially in the post-pandemic world, the line between work and home has become increasingly blurred.

“Mobile devices that connect to secure networks and data systems must receive the same attention and cybersecurity controls as the laptops administered by the company’s IT organization,” O’Neill states. He adds that each mobile phone is an endpoint that may grant access to data systems, saying, “MSPs and CISAs should ensure that robust endpoint security is installed and prioritized through policy on all mobile devices, business and personal, that access critical networks.”

Mobile security challenges and best practices

Such cybersecurity includes encryption for business data and email, multifactor identification enabled for every device, and a policy that requires robust passwords and unlock codes. O’Neill also points out that mobile phones need “need to know” access to sensitive data and application control. This is to prevent the installation of malicious applications.

Still, as widespread as mobile devices are, do they present a security threat?

O’Neill says yes. “Mobile devices are prime targets for cybercriminals,” he warns. It doesn’t always take a high-tech hacker who is using the latest tools. “Criminals will ‘shoulder surf’ a potential target in public places and wait for the individual to unlock their phone with a code. Once the code is memorized, they will steal the phone and quickly change the code and cloud account passwords, essentially controlling the phone.”

Mobile users also tend to leave a trail of downloads which O’Neill explains can make a person or business vulnerable. “Mobile users download a large array of applications, many of which do not deploy robust security or may themselves be malicious,” O’Neill shares. He adds that security safeguards are not as sophisticated for mobile phones as they are for desktops. “It places much of the security onus on the mobile device owner, which is never a good cybersecurity strategy.”

Securing mobile devices

It is more common than one would think that employees can use personal mobile devices for business work without a robust bring your own device (BYOD) policy in place. “Cybercriminals know that organizations will often overlook mobile phones as a primary gateway to launching sophisticated cyber-attacks,” O’Neill says.

“These devices may not implement critical mobile security controls like encryption, “need-to-know” access to secure networks, multifactor authentication, and password control,” he continues, adding that because of this laxity, most phishing sites now target mobile devices as well as desktop computers.

“Statistically, a user is far more likely to click on a malicious link sent via SMS to a mobile phone than a spear phishing email sent to their computer mailbox,” says O’Neill. He points out that mobile phones will only become more ingrained in our lives as time passes. MSPs and security specialists must treat them like business vulnerabilities.

“Our mobile phones are not simply repositories of our most personal data, they are now our digital identities. We have replaced our father’s bursting wallet or mother’s overstuffed purse with the digital equivalent of IDs, credit and bank cards, and membership cards,” states O’Neill. “The future of mobile technology must follow the best cybersecurity practices for other endpoints. This includes intrinsic security built upon zero trust. Future mobile devices will be built from the ground up with multiple and redundant security controls in place. They will be biometrically tied to a single user and monitored by threat-hunting artificial intelligence (AI).”

Until that happens, users need to stay alert. Also, MSPs would benefit from offering mobile device security as a separate service.

Photo: Ground Picture / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *