Digital transformation has pushed BYOD from being a privilege extended to employees, to becoming a critical component of today’s business infrastructure strategy. According to one report (PDF), 87% of companies now actually rely on their employees using personal devices to access business apps.
However, during the third quarter of 2018, over a quarter of organizations also experienced some sort of malware attack originating from those mobile devices, with Android operating systems being the primary attack vector. In fact, Android-based threats now comprise 14% of all cyberthreats that organizations have to contend with. This shouldn’t come as too much of a surprise, since over 80% of smartphones, tablets, and other mobile devices now run some version of Android OS.
What may be more surprising is just how prevalent Android-based malware really is. Over three million new Android malware samples were discovered last year, and just one of those malware apps managed to infect over 500,000 other Android devices. And those infections aren’t restricted to mobile devices. As more and more business is conducted on the same devices that users rely on for their personal use, malware can be picked up anywhere and dragged into the corporate setting without any warning. And any malware that can eavesdrop on conversations, intercept data, and spread malware will have a direct impact on an organization.
This problem is about to get worse as we enter the holiday shopping season. And that means that your employees will be using their mobile devices more than ever for online activities, from shopping and entertaining to socializing and planning.
Unfortunately, the holidays are a big event for cybercriminals. Over the next few weeks the number of compromised web sites, charity scams, email phishing campaigns, malicious web access points, and even fake shopping sites will all explode. And all of them have been designed to steal data, including personal and financial information, as well as spread malware.
Protecting your organization from threats unknowingly brought in by employees requires a two-pronged approach. The first is to carefully harden your network from the fresh deluge of mobile device-related threats, and the second is to educate your employees on safe holiday shopping strategies.
Preparing your network
There are three basic security components that every organization with an open BYOD strategy needs to be familiar with.
Secure mobile devices: Where possible, you should establish a process for securing endpoint devices. First, if a user wants to attach their device to your network, there needs to be some minimum level of security they should have to meet. That should include installing some security app or client that can contribute to your overall security framework. Then baseline normal mobile device traffic so you can actively monitor and trigger alerts for any traffic anomalies.
Secure the network: Access points need to perform real-time threat analysis, including sandboxing, to detect malicious activity or software. That should be supported with a Network Access Control solution that can 1) identify and inventory devices, 2) assign them to an internal network segment based on device profiles and policy, and 3) respond to threats by quarantining infected devices.
Tie everything together: Endpoint security needs to be actively tied to your larger security architecture, including your NGFW devices, to ensure consistent policy orchestration and enforcement.
Help your users
Any effective security strategy needs to include a mechanism for training and counseling employees on safe device and Internet usage. Here are a few messages especially relevant for the holidays.
Use caution when connecting to public Wi-Fi: Public Wi-Fi sites are a haven for criminals looking to intercept a connection and use it to steal passwords, banking or credit card information, and other personal data. Remind users that using a “Free Wi-Fi” access point may be connecting them to the Internet through a malicious device that can see and capture all the traffic moving between them and their online shopping site, bank, or social media accounts.
Only download legitimate apps from legitimate sites: Most mobile device infections are the result of downloading infected applications. Many of these apps hide on a device and monitor web and application traffic. During the holidays, when more online shopping occurs than any other time of the year, the chance that a compromised app can intercept financial or other personal information is especially high. Remind your employees to only download apps from legitimate application sites and never allow installations from “unknown sources.”
Think twice before shopping at an unfamiliar site: Remind your employees that unusually low prices and high availability of hard to find items are red flags for scams. However, if they are going to shop at an unfamiliar online store, they should follow these four basic strategies to protect themselves, and by extension, your organization:
• Look before you click: Before you click on a link, hover your mouse over it. This should reveal the URL address it is connecting you to. Look at it carefully. Is the name too long or does it contain lots of hyphens or numbers? Does it replace letters with numbers, such as amaz0n.com? If so, don’t click on it.
• Verify: Start by entering the name of the site into a search engine to see if anyone has complained about it. Next, never click on a link from an unknown source. Instead, go directly to the site by typing in their primary address into your browser. From there, any legitimate retailer will provide you with access to any authentic deals advertised online.
• Pay attention: Once you connect to an online shopping site, take a minute to look at it. Does it look professional? Are the links accurate and fast? Are there lots of popups? These are all bad signs. Likewise, bad grammar, unclear descriptions, and misspelled words are other giveaways that the site is probably not legitimate.
• Keep your distance: Never use your debit card. If you decide to make a purchase, use a major credit card as most have built-in fraud protection. And as a bonus, they are not directly connected to your checking or savings account.
Securing the mobile devices connecting to your network is an increasingly crucial component of your overall security strategy. It is essential to remember that any device connecting to your network is, by definition, part of your network. Putting the right tools and technologies in place that extend visibility and control out to those devices, and educating users on effective security strategies that not only benefit the organization, but that also protect their personal data and resources, are critical steps in defending your network from the growing threat from mobile devices.
Check out our entry level designation of the Fortinet Network Security Expert (NSE) program. It is intended to provide a basic understanding of the threat landscape facing networks today. Anyone interested to learn about the threat landscape and cybersecurity should take this course for more learning. Also learn more about the Fortinet Network Security Academy available to educators and students or the FortiVets program for Veterans.
This byline originally appeared in Security Week.