Do you work from home? If you do, you’re part of the increasing numbers of employees worldwide that work remotely or in a hybrid environment.
Today, the hybrid workplace is more common than not, over half of employees stating they prefer remote or hybrid work environments, and 52% of security decision makers believing that in the future, most of the workforce will be permanently remote or hybrid.
Despite the promise of a better work/life balance, reduced operational overhead, higher productivity and many other benefits, security procedures, systems and controls in hybrid work environments are more complex, due to the sheer volume of devices connecting to corporate networks. These devices – smartphones, personal computers, tablets and more – exist outside the protected perimeter of the enterprise, which has led to a sharp increase in the number of data breaches and other security events.
Let’s examine some of the reasons why increased worker mobility is putting today’s enterprise at higher risk of cybercrime – and what can be done to improve mobile security.
With Mobility Comes Risk
As workers access corporate networks using privately-owned laptops and mobile devices instead of company-issued laptops – often using cloud-based apps and solutions downloaded from app stores to connect these devices from their home networks – the attack surface expands. Cybercriminals are having a field day, phishing for credentials and hacking into accounts, or launching botnet attacks. Mobile apps, in particular, are easy targets for bad actors – Verizon’s Mobile Security Index (MSI) reported a 22% increase in major cyberattacks involving IoT and mobile devices this year, and Proofpoint found a 500% increase in malware attacks on smartphones.
Microsoft products are likely targets, too, given that the vast majority of global workers use them. For example, in July this year, Microsoft issued a warning to users about a massive phishing campaign targeting over 10,000 companies since September 2021. Using stolen credentials and session cookies, criminals hacked into the authentication process of Office 365, bypassing multi-factor authentication. Stolen Microsoft Office 365 credentials can lead to a great deal of sensitive data being used to launch future attacks.
Phishing campaigns of this magnitude are increasingly common – since the onset of the pandemic, they’ve increased 55% – and since most people use their phones to check email, that’s where the “phishermen” are successful. Additionally, “risk ware” – free mobile apps downloaded from official app stores that collect and send user data to remote servers – can result in leaked data, either personal or corporate, giving cybercriminals more ways to infiltrate a network. Mobile malware programs may use distribution code that’s native to popular mobile OSes and move data across the network without looking suspicious.
There are other ways mobile devices pose security risks. Many people leverage wireless hotspots, which are typically unsecured, to sign on to corporate networks, from coffee shops or outdoor locations. Hackers may set up fake access points that look like Wi-Fi networks in public locations to trick users into connecting. As a result of these tactics, 45% of companies surveyed by Verizon said they’d suffered an attack involving a mobile device in the past 12 months.
3 Strategies For Mobile Cybersecurity
According to the Harvard Business Review, mobile security is often not a top priority for corporate IT teams, despite mobile devices being a preferred target for hackers. To reduce risk and help protect an organization as it becomes more remote, distributed and mobile, BDO recommends that companies consider the key strategies below in their risk mitigation efforts.
1. Implement Defense-in-Depth.While Microsoft provides a number of built-in security features, a defense-in-depth approach that layers on additional security measures to mitigate threats that circumvent them is essential. If one line of defense is compromised, additional layers act as backup defenses. The three key layers of a defense-in-depth strategy include:
- The physical layer – limiting or preventing access to IT systems via physical controls such as locked doors, fences, security guards and the like.
- The technical layer – placing technical controls on hardware and software such as disk encryption, file integrity software and authentication.
- The administrative layer – implementing policies and procedures around hiring practices, data handling, and privacy and access control.
Zero Trust operates on the principle, “Trust no one, always verify.” This security model examines a user’s role and location, the device they’re using and the information they’re requesting, and assumes the user is guilty until proven innocent. Every user, machine and application is continuously verified and controlled, gaining “just enough” and “just-in-time” access to corporate resources, d. Three key technologies that comprise a Zero Trust architecture include least privileged access, multifactor authentication and network segmentation. Learn more about Zero Trust here.
3. Implement advanced protection for Microsoft products.
Microsoft Enterprise Mobility Suite (EMS) can be combined with Microsoft Intune and Microsoft System Center to provide secure mobile app configuration and the ability to manage devices from the cloud with the following capabilities:
- Hybrid Identity, to enable self-service experiences and single sign-on while protecting sensitive company information with multi-factor authentication, conditional access controls. This helps ensure compliance with governance and reporting features, and enables employees to create a centralized identity across on-premises and cloud applications, which can be federated to maintain centralized authentication.
- Mobile Device Management to provide secure access to company resources consistently across devices, via device registration and enrollment. The solution enables teams to manage on-premises and cloud-based devices from a single console, as well as settings across platforms, and leverage advanced protection in case of stolen or compromised devices.
- Data Protection to protect business data across cloud, on-premises environments and applications, with the ability to assign rules based on Active Directory users and groups.
With all of these moving parts, enterprise mobile cybersecurity requires extensive experience with implementing effective security solutions. Consulting with a third-party security professional may be a good place to start. BDO in Ukraine can help to ensure your growing hybrid workplace is protected as the number of mobile devices that access your corporate resources continues to expand. Our professional consultants can assess your current cybersecurity posture and help you determine the appropriate strategies and tools to implement to improve protection.
Source: BDO USA