Consider the facts on mobile cybersecurity

• A report from Positive Technologies identified that 38% of iOS applications and 43% of Android applications contain “high risk” vulnerabilities due to poor coding practices. These vulnerabilities could leave your passwords, financial details, personal data and communications open to hackers. These are “good” applications with bad coding.
• According to the 2019 McAfee Mobile Threat Report there are over 70,000 “fake” applications for mobile phone downloads. These fake applications exist to steal your data or use your phone for other purposes, like bombarding you with ads. These are “bad” applications with good coding to fool you.
• The most common threats include bad applications asking for access permissions they do not need and tricking users into entering personal information; for example, credit card numbers to purchase new features or turn off ads.
• Once malware is installed on your phone, hackers do not need physical access to the device because your phone is “always connected.” The malware can simply grab your personal data and send it directly to the hackers.
• Hackers installed software developed for spy agencies on some Android and iPhone handsets in 2019 by calling the targeted person through WhatsApp (a call and chat application). The software was installed even if the phone call was not answered. WhatsApp has since corrected the vulnerability, but other hackers are assuredly evolving the code for new uses. 

How your employees can protect themselves

While you can’t do anything about the poor coding practices of mobile phone application developers, there are ways to minimize the impact of fake or unsecure applications.

• Only download applications from known sources such as the Google Play store and the iOS Application Store. They actively remove known fake or bad applications but new ones are always popping up.
• Don’t be tricked into downloading an application from another source. A popular scam right now is to leave a voice message on your phone and then require you to download a special application to hear the message played back. The “special” application is malware intended to steal your data.
• Understand why an application requests certain access privileges when installing on your phone. For example, a new version of Candy Crush should not need permission to make phone calls. That could be a scam to allow hackers to call “900” numbers and bill you exorbitant fees. If an application asks for unexpected permissions, don’t install it.
• Check your phone settings for your installed applications occasionally to verify the permissions used by each application. You want to make sure no unexpected permissions have been granted.
• Encrypt your phone to protect the data on it and use at least six numbers for the password. This may not encrypt all of the data but is a good start. There are also encryption applications available to make the encryption even better.
• Update your mobile phone operating system and installed applications when new versions become available. These new versions often fix issues found with previous versions.
• Never open unknown links in text messages.

Usage policies are needed

Your business risk increases as employees access work data through their mobile phones.

Your job is to make sure those employees understand the risk through strong governance policies, specific business practices and awareness training.