Digital transformation and the normalization of remote/mobile working have become a reality for many businesses. This shift has brought many benefits to businesses, but it has also introduced unprecedented risks involving employee privacy, personal identity, and privileged access credentials. Especially under the continuous impact of the economic recession and the epidemic, many enterprises have to face the problem of sacrificing security while increasing productivity.
According to the 2022 Mobile Security Index (MSI) report from Verizon, while 85% of enterprises have a dedicated budget for mobile security, more than half (52%) sacrifice mobile and IoT device security to “get work done” . The report also found that cyberattacks involving mobile and IoT devices increased by 22 percent in the last year.
Mobile cyberattacks are deadly because they strike at the intersection of personal identity, privacy, and professional work. Therefore, ongoing employee cybersecurity training is critical today. Additionally, cyber attackers use a variety of tactics to steal the most valuable data from your phone, such as:
**1. False base station attack:** The attacker creates a false base station, lets mobile devices connect to it, and then conducts various attacks, such as man-in-the-middle attacks, intercepting communication data, tampering with data, etc.
**2. SMS fraud:** Attackers pretend to be legitimate organizations, services or individuals, and send fraudulent text messages to users to trick them into providing sensitive personal information, payment account information or clicking malicious links.
**3. Malicious apps:** Attackers release malicious apps in the form of legitimate apps. Once users download and install them, they can perform malicious activities on user devices, such as stealing personal information, monitoring user behavior, and more.
**4. Eavesdropping and stealing data:** Attackers can eavesdrop on mobile network communication data to obtain sensitive user information, such as login credentials and passwords. Additionally, they can steal data stored on the device by planting malicious code or using vulnerabilities.
**5. Phishing remains a growing threat vector:** The Data Breach Investigations Report (DBIR) analyzed 15 years of historical phishing data in its study and found that "83% of businesses experienced a successful Phishing attacks by email, in which users are tricked into performing dangerous activities such as clicking on erroneous links, downloading malware, providing credentials or performing wire transfers. This is a huge increase from 46% in 2020.”
**6. Exploitation of Operating System Vulnerabilities:** Attackers can exploit the vulnerabilities of mobile device operating systems to attack devices through malicious software or malicious webpages, thereby obtaining sensitive information of users or controlling devices.
The above are just some common mobile network attack tactics, given the complexity of mobile networks and evolving threats, the tactics that attackers may use are constantly changing and evolving.
In a zero-trust environment, the security of mobile devices is of paramount importance. Here are some suggestions to improve the security of mobile devices in a zero trust environment:
**1. Multi-Factor Authentication (MFA):** Enable multi-factor authentication on mobile devices, such as fingerprint recognition, facial recognition, PIN code, etc. This increases the security of authentication, ensuring only authorized users can access devices and resources.
**2. Device management and control: **Use a Mobile Device Management (MDM) solution to unify the management of mobile devices within your organization. This includes setting password policies, enabling remote lock and wipe, managing app access, and more to ensure device security and compliance.
**3. Encrypt data:** Encrypt sensitive data stored on mobile devices to prevent data from being accessed by unauthorized persons in case of device loss or theft. Make sure that the data on the hard drive, memory card, and transmission channel of the mobile device is protected by encryption.
**4. Network security: **Use a virtual private network (VPN) on a public Wi-Fi network to encrypt data transmission to prevent man-in-the-middle attacks and data eavesdropping. Avoid sensitive operations such as logging into bank accounts or entering passwords on untrusted networks.
**5. Regular update and maintenance:** Install security updates and patches for devices and applications in a timely manner. Keep your device's operating system, applications, and security software up to date to fix known vulnerabilities and security issues.
At the heart of the Zero Trust philosophy is not to trust any device or user, and by default treat every access as a potential security threat. Therefore, it is crucial to adopt comprehensive and layered security measures, and strengthening security on mobile devices is an important part of implementing a zero trust strategy.
As mobile attacks become more deadly and focus on gaining privileged access credentials, security leaders must face the hard truth that when it comes to mobile security, even if one mobile device is compromised, the entire enterprise infrastructure is compromised. Will be compromised, mobile security only has two options of 100% success or 100% failure.
