Common Mobile Device Security Mistakes Increase Costs and Risks

November 10, 2023

Many employees primarily use mobile devices for work. Cybercriminals are well aware of this fact, and mobile devices are increasingly targeted with malware, phishing and other threats.

Researchers at Zimperium say that sophisticated attacks against mobile devices are on the rise. According to the firm’s Global Mobile Threat Report, 80 percent of phishing attacks target mobile devices or both mobile and desktops. The researchers also identified more than 920,000 unique mobile malware samples, a 51 percent year-over-year increase. Malware was detected on 5 percent of mobile devices.

Mobile devices have greatly enlarged the attack surface. Organizations must prioritize security measures that reduce the risk that hackers will leverage mobile device vulnerabilities to infiltrate the rest of the network. However, many organizations make common mistakes with regard to mobile device security that increase costs and risk.

Interested In Learning More?

VPNs Aren’t Needed

Many organizations believe they need a virtual private network (VPN) to enable secure access to internal applications. VPNs create a “tunnel” through the public Internet in which all data sent between the device and the server is encrypted. This is a poor approach for several reasons.

First, VPNs add a layer of complexity that users often work around. A recent ThreatX survey found that just 12 percent of employees use a VPN when accessing company data remotely. Second, a VPN tunnel is a poor architecture based on a legacy design. When you use a VPN, you treat mobile devices like laptops from 20 years ago. Third, a VPN is another tool that has to be implemented, managed and kept up-to-date.

Finally, there’s no benefit to drilling a VPN tunnel because there’s a more secure alternative. The DeSeMa team can publish the connection for the application itself using IPsec, a very old protocol that’s been proven for decades to be almost impenetrable. IPsec encapsulation allows us to granularly select and secure the application that communicates back to your data center.

Maintaining Control

Many BYOD policies create risk by giving users too much control over applications and data. Organizations lack an effective way to keep corporate and personal data separate.

DeSeMa can containerize the application within the device itself by enabling the work profile settings inside Office. The user can still use Office for personal emails. But the minute the user connects to work email, the information is kept in a bottle.

The data the application stores locally is automatically encrypted and not allowed to exit the application’s memory space. This is critically important if the device is lost or stolen, the user leaves the organization, or some other event occurs such that the device is no longer under your control.

Protecting Corporate Data

For example, the user cannot download a file inside Outlook, transfer it to the device’s local storage, then upload it to Facebook to take it out of your organization. The file will remain under your control. If you need to remote wipe the application, you automatically destroy all the corporate-owned data on the device without destroying the user’s personal data.

This doesn’t just apply to Office. We can create work profiles for any marketplace or custom application that’s loaded on the device. We can also require that a specific browser version with specific plugins be installed on the work profile.

In our next post, we’ll discuss other cost-effective techniques we use to secure mobile devices and ensure compliance.