How to ensure cybersecurity on corporate devices

Corporate mobility has opened up a world of possibilities to expand the organization's reach, immediacy as a weapon, and collaboration as an ally for the business. However, this undoubtedly poses a significant security risk as it grants access to corporate networks and databases with confidential information from potentially insecure devices.

Just last March, Google experts identified 18 vulnerabilities in some Android phones that provided access to the devices through a dedicated processor. In May, Apple addressed 3 new zero-day exploits associated with the device's browser engine.

These examples demonstrate that cybercriminals discover new ways to carry out their attacks every day, emphasizing the importance of a robust policy to protect the devices that connect to the company daily.

Most frequent threats on mobile devices

Below are some of the main security threats for mobile devices:

• Phishing: While phishing on computers typically spreads through fake messages with malicious attachments or links, in the mobile world, most phishing attempts come from social networks, text messages, or apps. A variant is smishing, which involves stealing a user's credentials when they access a malicious link received via SMS.
• Malware and Ransomware: The most common mobile malware includes malicious apps designed to harm, disrupt, or gain unauthorized access to a device. Among malware types, ransomware stands out as the most common variant, with costs increasing each year.
• Rooting and Jailbreaking: Rooting and jailbreaking are methods that allow users to gain administrator access to their mobile device to download malicious apps or increase app permissions.
• Man-in-the-Middle Attacks: These attacks intercept network traffic to obtain sensitive data in transit or modify transmitted information. Mobile devices are particularly vulnerable to these attacks because, unlike web traffic (which uses SSL/TLS encryption), mobile apps can transfer sensitive data without encryption.
• Spyware: A type of malware that monitors user activities and provides access to data such as device location, browser history, phone calls, photos, and videos. Its purpose is often identity theft, financial fraud, etc.
• Malicious Applications and Websites: Infected malware programs that attack when entering a website or downloading an application.
• Unsecured Wi-Fi Networks: When using public or unsecured Wi-Fi networks, there is an increased risk that outgoing or incoming traffic to the mobile device could be intercepted, compromising its information.

8 key aspects to consider...

Companies must implement all necessary measures to identify attacks early and generate appropriate responses to limit their impact. Below are eight key aspects to consider for preventing and/or neutralizing the security risks of mobile devices:

• Application and Endpoint Security: Mobile Application Management (MAM) and Mobile Device Management (MDM) systems allow auditing and managing the software used by mobile devices, applying the criteria required by the company. Cloud Access Security Broker (CASB) solutions protect the security of cloud applications, linking with corporate installations and networks, applying security regulations, and managing the use of cloud resources.
• Access Controls by User and Device: Identity and Access Management (IAM) systems regulate user privileges over their information, determining whether they can add, modify, delete, or copy data from the mobile device.
• Advanced Security Elements: Antivirus, Virtual Private Networks (VPN), gateways, firewalls, Intrusion Prevention Systems (IPS), etc., help reinforce device security. Gateways, for example, establish secure network connections between two devices or between a device and the Internet, ensuring that the connection complies with the company's cybersecurity policies, regardless of location or device type.
• Email Security: Maintaining a rigorous security policy for corporate email is crucial, including activating advanced protection capabilities that detect and resolve threats and protect confidential information through encryption, thus preventing data loss.
• Mobile App Permission Management: Permissions granted to mobile apps determine their level of functionality. However, granting permissions to an app with vulnerabilities can give cybercriminals access to confidential data within the device.
• Encrypted Connections: Companies can extend their corporate network to be accessible to users from anywhere using Virtual Private Networks (VPN), which encrypt the connection of devices with any network (including public Wi-Fi). Multi-Factor Authentication (MFA) systems are currently the most effective method to reinforce security.
• Password Management: The organization's policy can and should require employees to regularly change passwords and use robust combinations that at least include letters, symbols, and punctuation. An alternative or additional option to passwords is configuring screen lock with the user's fingerprint or facial recognition, ensuring that only the user can access the device's content.

These actions already represent a significant advancement in protecting both personal and company devices against cyberattacks and malware. However, they should also be complemented with a comprehensive IT architecture that centrally controls the various security solutions.

... and 5 tips for a proper Mobile Security strategy

Secure mobile device management can make a difference in determining the risks an organization assumes. Here are 5 tips to successfully consolidate an efficient yet secure corporate network.

1. Establish a Clear and Comprehensive Mobile Security Policy: Set clear guidelines for the use of mobile devices. Security policies should include mandatory configurations, usage guidelines, measures against data leaks and theft, and coordination of monitoring and remote control systems for devices.
2. Regularly Update the Operating System and Mobile Applications: Mobile operating systems and applications are constantly reviewed by their creators to address security vulnerabilities and optimize performance. Using outdated versions exposes the organization to cyberattacks that could jeopardize business operations.
3. Regular Backup and Remote Data Wiping: Configure all mobile devices to perform backups that can be stored on-site or in the cloud. Ideally, set up remote data wiping to delete any data from the device even if direct access is unavailable.
4. Avoid Installing Programs Directly on Devices: Malware affects hundreds of thousands of mobile devices daily, with one of the main vectors being the installation of applications. It's ideal to migrate applications to a web environment (or the cloud) to eliminate the need for installing and reinstalling software on the devices.
5. Provide Cybersecurity Training to Employees: When using company-owned devices, invest time and resources in cybersecurity awareness. This includes avoiding clicking on suspicious links, not downloading content from unreliable sources, using complex passwords, performing backups, using antivirus software, and more. Training should extend to all levels of the organization, including specialized training for mobile cybersecurity experts.

In conclusion

As we can see, managing the security of mobile devices for use on corporate networks requires serious consideration by organizations and poses a titanic challenge for IT departments. It is necessary to be aware of this and implement measures to reduce risks.

In summary, we must be aware that having mobile devices with access to data requires extra security. This security will enable us to turn to solutions that should be almost mandatory, easy to implement, and ensure adequate security for both the network and each of its components.