Mobile devices are increasingly attractive to hackers, and BYOD policies make for a target rich environment
Amazon boss Jeff Bezos had the security world abuzz this week with accusations that the Saudi government hacked his mobile phone, stole private images and texts, then leaked them to US supermarket tabloid The National Enquirer.
Bezos’ personal security advisor claimed that the breach was in retaliation for the Washington Post’s (which Bezos owns) aggressive coverage of the Jamal Kashoggi assassination.
Did they? Didn’t they? At this point it it’s only an accusation – and a few security analysts have questioned its veracity. What’s undeniable is that they, or some other party, could have done. Smart phones and tablets are increasingly hackable and increasingly targeted by bad actors. For businesses, the Bezos affair turns the spotlight on mobile devices and vulnerabilities.
Because if the world’s richest man can have his phone hacked, so can you.
Moving targets and BYOD
The world has rapidly gone mobile and many businesses have adopted a Bring Your Own Device (BYOD) policy where employees have permission to use personal devices in the workplace. There are significant benefits to be had from adopting BYOD in terms of efficiency, productivity, collaboration, communications and workflow, but there is a cyber downside as well.
As mobile working and BYOD policies grow in popularity, so do cyber attacks. In a recent survey of mid-sized UK business, more than 60 per cent reported having a security incident since introducing a BYOD policy. Not surprisingly, the risk of a breach seems to grow with the number of people employed by a firm. Fourteen per cent of business with 1 to 10 employees reported a cyber security incident after adopting BYOD, rising rapidly to 70 per cent for businesses of 10 to 50 people, and 94 per cent for organisations with 100 to 250 employees.
While people in the public eye like Bezos can take extra steps to avoid having their smart phones hacked – paying for additional encryption, using disposable ‘burner’ phones when travelling, or regularly replacing devices in order to reduce the risk that they’ve been compromised – but ultimately the security protections available for smart phones are pretty much the same for everyone.
Access to Bezos’s phone could have been gained via a phishing message, for example, with links to a new form of malware capable of getting around the phone’s defences. There are a growing number of effective anti-virus tools for mobile devices but even they won’t catch every exploit attempt. The latest mobile malware can even hide its signature behaviours inside the normal workings of a phone’s operating system.
How do I know if my phone’s been hacked?
So while you may not be able to catch every iPhone breach, most mobile device hacks exhibit tell-tale signs that a trained user can pick up on quickly. For example:
- If you hear background noises during phone calls or whilst listening to music or video, it could be a sign of malware infection. A hacker could be monitoring conversations, listening for certain keywords that indicate financial or clues to personal logins.
- An unexplained surge in data usage could also indicate infection. The average amount of data people use each month tends to be pretty consistent. If you notice that data usage has spiked or you’ve started exceeding your data allowance it could indicate that the phone has been compromised by malware. Your phone may be leaking data to another device or zombified as part of a botnet.
- Bluetooth switching on by itself. In 2017 researchers discovered a new mobile malware called BlueBorne which infects smartphones using active Bluetooth connections. More than 5 billion devices were compromised, enabling attackers to access corporate data and networks.
Steps you can take
Know your phone or tablet’s operating system and keep it up to date
The majority of OS updates have a security patch or fix relevant to the latest threats. When prompted by the phone manufacturer to install a new update, click yes or schedule the install as quickly as possible. Be aware that while Apple phones with the iOS operating system are not immune to infection, open-source Android phones remain the hacker’s favourite.
It’s best to have multiple passwords for multiple devices, or use a password manager like Dashlane that encrypts passwords and adds a further level of protection with a master password that keeps your data safe, even if Dashlane gets hacked.
Don’t click on random links
Emails, texts and instant messages from senders you don’t know could be a phishing scam.
Look out for fake apps
Mobile app stores are full of apps that act as a delivery mechanism for spyware or virus infection. If an app regularly pushes out unexpected and intrusive pop ups or asks for personal information, you’re safest bet is to delete it.
Desktop or mobile, the biggest risk factors in cyber security are human. Staff need to be empowered with an awareness of the risks that come with mobile working, and switched on to the signs of infection or breach. Where a BYOD policy is in place, it should be well understood that when mobile devices are used away from the office – particularly on public wifi connections – the threat of infection tends to increase.
Want to learn more about empowering your employees’ security defences? Why not sign up for a free demo and find out how we’re already helping organisations just like yours.