- Phishing and smishing—Phishing and smishing scams are the number one security threat to mobile devices, according to IBM. While phishing uses emails and smishing uses text, both strategies involve sending messages that contain malicious links to infect devices with malware or trick victims into sharing account details or business information. Social engineering is often used in phishing and smishing scams by weaponizing key attributes of a victim, such as where they work, their job status and their recent posts, to gain trust and get important information out of them.
- Malicious apps—Official app stores like Apple App Store and Google Play have many checks and balances in place to prevent malicious code, but malicious apps may still get through these processes. Once a malicious app is installed, hackers can steal or lock data stored in the mobile device or spread more malware.
- Insecure Wi-Fi and network spoofing—When an employee uses a compromised or public Wi-Fi network, their device instantly becomes vulnerable to cyberattacks. Cybercriminals can conduct man-in-the-middle attacks—when communication between two systems is intercepted by a third party—while remaining undetected by the user through insecure Wi-Fi and network spoofing. Insecure Wi-Fi, such as open or free Wi-Fi hotspots, can allow cybercriminals to intercept device network traffic. Network spoofing entails a hacker impersonating a network’s name to trick users into signing in, allowing them to access user data.
- Outdated operating systems (OSs) and apps—Older OSs and apps may contain vulnerabilities that can be exploited by cybercriminals. While software patches and updates are often released by developers to address security vulnerabilities, any delay or avoidance in updating an OS or app could put data stored on the mobile device at risk.
- Train employees. Employees are the first line of defense for protecting mobile devices against malware. Therefore, cybersecurity awareness training can help employees combat scams by teaching them to identify telltale signs of phishing, smishing and malicious apps, avoid public and insecure Wi-Fi networks, and keep their devices’ software up to date.
- Install a virtual private network (VPN). A VPN connection disguises online data traffic and protects it from external access. Unencrypted data can be viewed by anyone who has network access, but a VPN restricts cybercriminals from deciphering data.
- Activate multifactor authentication (MFA). MFA can prevent account compromises by requiring users to provide multiple security credentials to access a device or account. Examples of MFA include entering a code sent to a user’s email, answering a security question or scanning a fingerprint.
- Install zero-trust-enabled applications. A zero-trust security model evaluates access requests based on predefined controls. Legitimate access requests are permitted, and unauthorized requests are blocked and logged. With this strategy, installing zero-trust-enabled applications can reduce cybersecurity risks by restricting access to applications that aren’t permitted.
- Turn on user authentication. User authentication on mobile devices verifies a user’s identity through one or more authentication methods, such as passwords or VPNs, to ensure secure access.
- Develop bring-your-own-device (BYOD) policies. A company should develop and implement BYOD policies when allowing or requiring employees to use their personal devices for work-related activities. BYOD policies should address which devices and apps are permitted and outline security requirements.
- Create device update policies. Cybercriminals can infiltrate mobile devices through unpatched software. Therefore, a company device update policy should require employees to update their devices and apps as soon as a patch becomes available.
- Back up mobile data regularly. Regularly backing up data can help companies recover in the event a mobile device is lost, stolen or otherwise compromised. Backups can protect against human errors, hardware failure, virus attacks, power failure and natural disasters.
- Implement a password policy. A strong corporate password policy can ensure that systems and data are as secure as possible. Some best practices include encouraging employees to use unique, complex or long passwords; enabling MFA; and using password management systems.