Many small business IT managers assume that their security isn’t critical because they’re too small to be noticed. Unfortunately, hackers don’t just stick to the Fortune 500 list when deciding who to target. Automated hacking tools cast a wide net. You may be an accidental bycatch, but at the end of the day, you’re still a target.
Mobile devices like smartphones and tablets create additional security risks. They’ve become a crucial part of work, especially for hybrid or remote operations — but having all that power in the palm of your hand presents a unique set of security threats. IT managers at small to medium-sized businesses (SMBs) don’t have all day to worry about smartphone security, so I’ve identified the three biggest mobile security threats and will suggest ways to help block them:
1. Malicious apps
Smartphones have turned everyone into their own app curator and system administrator, and everywhere you turn there’s a new app begging to be installed. Unfortunately, there’s also a lot of malware and spyware out there, and the more apps your users install, the more likely you are to have a security breach.
The starting defense for this is the app store, and IT managers should make sure that all smartphones are only using a single trusted app store — the one provided by the OS vendor. Hardware vendors such as Samsung also have their own trusted app store for updating their customized apps and tools, so Android phones typically trust two app stores.
In recent versions of Android, app store trust is controlled in the Settings > Apps menu, and the default is that the phone will not trust “unknown” apps — those from untrusted app stores. Make sure users know they should never stray from official app stores or sideload apps, at least for devices that are used for business. If you’re using a mobile device management (MDM) solution — and this is a big plus for security — use it to lock this app setting so that users can’t override it. Using an MDM also lets you set up a blocklist of apps that can never be installed, which can be useful if you discover that your users are being targeted, such as by a phishing attack.
The second defense against malicious apps is to be sure that your smartphones are always patched with the latest OS and security updates. Malware developers are locked into a cycle with OS vendors: The bad guys discover a bug and exploit it, and then the good guys patch the bug, leading the bad guys to search for a new undiscovered bug. When you’re up-to-date with security patches, you reduce the chance that any malware that makes it onto your smartphone will be a security problem. Unfortunately, smartphone users may choose to delay software and security updates, so it’s your job to make sure that everyone knows how important these updates are. If you have an MDM, this is another setting to lock in for all users.
At the same time, make sure that users aren’t using outdated software to connect to your network. Most Android vendors, for example, only provide security and OS patches for about three years, so any Android phone older than that may be locked into previous (less secure) versions of the OS. But it’s not the age of the device that’s important; it’s the ability to run secure, up-to-date versions of the OS.
IT managers who have selected Samsung phones for their users can learn more about how Samsung goes further in delivering defense-in-depth against malware in my recent post on the Samsung Insights blog.
2. Device loss or theft
Smartphones are easy to lose. They’re also valuable, which make them targets for theft. You can’t do anything about that, but you can make sure that a lost or stolen device can’t be exploited to grant access to your network.
To ensure that a lost or stolen device stays locked and encrypted, you can use tools like long passwords, biometric authentication and device lock with a short timeout. (All modern smartphone operating systems encrypt data in local storage so that it can’t be accessed without unlocking the device.) Make sure that devices have long unlock PINs (at least 6 to 8 digits) to reduce the chance of someone shoulder-surfing the code. Since most modern smartphones support biometric unlock via fingerprint, retina scan or facial ID, setting a long PIN on a smartphone won’t inconvenience users; biometrics are now used far more than passwords and PINs.
Of course, all these settings are easier to control if you have an MDM set up to push a secure policy to all smartphones in your user community. (Are you noticing a theme? Here it is: Use an MDM for all your mobile devices.)
Another layer of protection, not just applicable to mobile devices, is to make sure that all of your business apps require two-factor authentication (2FA), also called multifactor authentication (MFA). If you’re using software as a service (SaaS) providers such as Microsoft 365 or Google Workspace (formerly known as G Suite), 2FA/MFA capabilities are built in. With a string of high-profile data breaches hitting news headlines every month, 2FA/MFA is simple insurance that phishing or password reuse won’t fast-track a hacker.
Some smartphone manufacturers, like Samsung, have gone even further to make a lost or stolen device useless in the hands of even sophisticated hackers. In this article for example, we discuss how Knox Vault protects the data that matters most.
3. Insecure networks
People use mobile devices everywhere and anywhere, including outside of the controlled environment of their home and office. Both Wi-Fi and cellular data networks are insecure — their traffic can be easily monitored and modified — which means you shouldn’t be trusting either.
There are different ways to deal with this security risk. The most conservative is to use a virtual private network (VPN) for all traffic, including non-business traffic, and tunnel it back to a known secure location before allowing it onto the general internet. That means that all traffic between the device and the rest of the world is stuffed into an authenticated and encrypted tunnel, so no one can view or modify it along its path. You can run a VPN in your own data server or in the cloud — or you can use a commercial VPN service as a means of hiding and securing your traffic.
Mobile device management for beginners
White Paper
Get started with MDM so your organization can spend less and do more — securely and efficiently. Download Now
While tunneling all your traffic is the safest approach, it does have a drawback: It’s inefficient and can slow things down. Some IT managers have made the judgment call that North America’s cellular networks are “safe enough” and only tunnel Wi-Fi traffic through a VPN. It’s a lower level of security, but it’s also true that the kind of attacker who is breaking into cellular networks and compromising them will most likely target specific high-value organizations. You’ll have to make your own decision based on your company’s risk tolerance.
No matter what you do, though, you should make sure all of your business apps are moving to a Zero Trust model, which assumes that the network between the user and the app is insecure or even compromised.
Samsung Knox gives smartphones and tablets additional VPN flexibility and configuration capabilities. For further guidance, read my recent post on how to build and control a mobile VPN based on Samsung Knox VPN-specific features.
Just how secure is your business data? Take this free short assessment to evaluate your current mobile security strategy. And learn more about how Samsung’s defense-grade Knox security powers the most secure phones on the market.
