When was the last time you used your smartphone to actually reach out and touch someone verbally, that is, to make a phone call? Chances are, not much.
Research from a variety of sources says voice calls are made far less often on smartphones than texting, sending and receiving e-mail, and in-app messaging. What’s more, employees are bringing their personal devices to work, either at the encouragement of their employers to BYOD (bring your own device), or in addition to a work-issued smartphone. And they’re using them FOR work, accessing cloud-based corporate apps and more.
However, greater workforce mobility and increased access to corporate networks via smartphones also raises the risk of enterprise-wide exposure to cybersecurity threats, including those that originate within the supply chain. In a recent article in MHI Solutions’ Q1 2019 issue, “Smartphones and the New Cybersecurity Threat They Pose,” six different experts share insights into both the risks and the measures that can be taken to minimize them.
Chris Morales, head of security analytics at Vectra, a San Jose, Calif.-based provider of automated threat management solutions, says the biggest risk posed by mobile devices to a corporate network is malicious apps gaining access to enterprise information.
“The easiest way to compromise a mobile device is for a user to install a malicious app hiding in app stores,” he explains. “Malicious apps pose as apps serving a legitimate function, like a calculator or the latest release of a popular mobile game, but leverage the app permissions to gain access to information and resources on the mobile device that they should not have access to.”
Two other areas of potential risk are connecting to unsecured public Wi-Fi or plugging into a contaminated USB port for charging and receiving malware in addition to powering up. Says Joseph Carson, chief security scientist at Thycotic, a Washington D.C. based provider of privileged account management (PAM) solutions: “Some malware could remain hidden, infecting the customers of these device users. Other malware could steal intellectual property, thereby allowing other companies to gain a competitive edge. In the worst case, it could poison the data with ransomware bringing the entire supply chain to a complete halt.”
The increasingly interconnected world of the Industrial Internet of Things (IIoT) gives cyber attackers multiple entry points to access, cautions Uri Kreisman, chief operating officer of Bluechip Systems, a provider of mobile and Internet of Things (IoT) cybersecurity solutions headquartered in Santa Clara, Calif.
“If a phone has an enterprise app that controls machinery remotely—and ten separate managers who are authorized to approve certain process changes all have this app on their phones—if one device is compromised and the app hacked into, someone can take over and change the machinery’s operation,” he notes.
And don’t assume suppliers within your supply chain are following smartphone cybersecurity protocols either, adds Mukul Kumar, chief information security officer and vice president of cyber practice at Cavirin, a Santa Clara, Calif.-based provider of cybersecurity risk posture and compliance for the enterprise hybrid cloud.
“As with any device under control of a supply chain vendor, the lead company may have implemented best-in-class processes and technology, but their vendors may have not,” he warns. “Though a larger organization may have controls on their employees’ smartphones precluding downloads from untrusted sources, a smaller organization may not.”
The experts recommend a range of mitigation strategies as a means to protect smartphones against cybersecurity breaches—and they don’t include expecting your IT department to handle it. There are just too many BYOD devices, brands, operating system versions, and so on to be manageable, says Kreisman.
“For that reason, I think BYOD is on the way out for the majority of employees. Perhaps IT will still manage personal phones for top executives—initially fortifying the device and monitoring it routinely to ensure it is clean and secure—but more than that becomes too challenging,” he explains.
So, what’s a company to do? Here are a few ways to reduce the risks, as recommended by the experts:
- Morales recommends monitoring network traffic between devices to identify malicious activity or unauthorized access to critical infrastructure and important resources by unapproved devices.
- Limit use cases to least privileged access, says Frank Dickson, research vice president for worldwide security products at Framingham, Mass.-headquartered IDC, a market intelligence firm. He notes: “It’s critical to examine the use case for employees’ mobile devices and implement what’s called ‘least privileged access’ permissions. That means being sure that the applications and data a given user has access to is something they need in order to do their job effectively. The flip side is making sure that if a user does not need access to certain data, they don’t have it.”
- Isolate mobile devices to minimize the potential overlap between employees’ smartphones and the production systems used within the supply chain, advises Carson.
- Avoid the need to power up via public USB connection by supplying employees with portable chargers, says Seattle-based digital consultant Stephen Pao of Hillwork. “When it comes to connecting to the Internet via public-access Wi-Fi hotspots, it’s a good policy to forbid employees to do it or to require them to use virtual private network (VPN) service that utilizes encryption to provide secure connectivity through a public network,” he adds.
- Require separate phones for personal and work use, or issue one phone that can work in two different modes, recommends Kreisman.
- Conduct routine health checks on all devices, Dickson says. This ensures apps are valid and the device’s operating system has not been modified, making it more vulnerable to attack by malicious apps, hackers or viruses.
- Define corporate policies for smartphone security, inform employees and vendors about those policies, and audit regularly to verify compliance, says Kumar.
To read the entire article and learn more about the cybersecurity risks posed by smartphones to your organization—and for greater detail about mitigating those risks—click here.