- Mobile cybersecurity is a major area of risk for businesses of all sizes, as attacks via mobile devices increased substantially over the past year.
- Mobile cyberattacks refer to any malicious cyber activity that initially targets a mobile device, such as a smartphone or a tablet.
- While phishing attacks are the most common type of mobile cyberattack, mobile devices are also vulnerable to password-based attacks, malware and attacks that take advantage of insecure wireless networks.
- This article is for business owners and IT employees who want to learn about the current mobile cybersecurity landscape and how they can increase their security.
Mobile cybersecurity is a growing area of risk for businesses of all sizes, and most small and midsize businesses (SMBs) are not ready for this change in the threat landscape.
In August, Verizon released its Mobile Security Index 2022 report, which highlights the fairly dire state of mobile security and the severe consequences businesses face when suffering a mobile cyberattack. Verizon found 46% of SMBs suffered a major mobile-related compromise in 2021 that had lasting impacts on the operations of the business. And SMBs are not alone in this threat.
According to the report, 45% of all organizations surveyed suffered a mobile-related compromise, with 73% regarding the impact as major. This represents a significant growth in attack severity; in 2020, less than half of the mobile-related compromises were considered major. This growth is likely related to the ongoing shift to hybrid work models, a proliferation of mobile devices and a general increase in cyberattacks.
Fortunately, there are steps businesses of all sizes, including SMBs, can take to increase their mobile security. We’ve put together the following primer to explain what mobile attacks are, the most common attack types to look out for and some best practices for preventing attacks in the first place.
What are mobile cyberattacks?
A mobile cyberattack refers to any kind of cyberattack that affects a mobile device, such as a smartphone or a tablet. Mobile cyberattacks are not necessarily different from any other cyberattack aside from the target of the attack. For instance, phishing attacks can and do target both mobile devices as well as laptops and desktop computers. If a user interacts with a phishing email on a mobile device, though, then that would be considered a mobile cyberattack.
What makes mobile cyberattacks increasingly unique and relevant to security teams, however, is the ubiquity of such devices. As the line blurs between work and non-work hours, mobile devices represent an increasingly popular way for attackers to gain a foothold for further attacks against businesses and employees. Additionally, cyberattacks on remote workers who do their jobs from home networks or over public Wi-Fi networks have increased since the COVID-19 pandemic prompted many employers to switch to a distributed workforce model.
Did you know?: Sixty percent of small businesses that are victims of a data breach or cyberattack permanently close their doors within six months of the incident.
Why are mobile cyberattacks increasing?
The rise in mobile cyberattacks corresponds to both a rise in overall cybercrime and changing work patterns in which mobile devices are becoming increasingly common. For instance, the FBI’s Internet Crime Complaint Center (IC3) recorded a 7% year-over-year increase in cybercrimes in 2021 with estimated losses surpassing $6.9 billion, a 64% increase year over year.
At the same time as this rise in overall cyberattacks, reliance on mobile devices has greatly increased. Compared to the previous year, Verizon found that 58% of businesses saw an increase in users using mobile devices, 59% of users are doing more with their mobile devices and and 53% of mobile devices have greater access to sensitive data. As these numbers tick up, and as more employees continue to work from home or in some hybrid model, businesses continue to face difficulty in providing remote work guidance and training.
Tip: To learn more about how to protect your business, read our cybersecurity guide for small businesses.
Verizon found that 44% of employees did not receive regular security training over the past year. Additionally, 36% of businesses did not provide guidelines on suitable locations for remote working. This lack of training or guidelines further opens up employees to a variety of cyberattacks on mobile devices. For example, 13% of mobile devices encountered a man-in-the-middle (MITM) attack at least once in 2021, according to cybersecurity company Zimperium’s 2022 Global Mobile Threat Report.
In simple terms, an MITM attack occurs when a cybercriminal is able to intercept data between a mobile device and another system. This can occur, for example, if someone uses a compromised public Wi-Fi network in a cafe to log in to a work site. While the user may think their connection is secure, a cybercriminal is actually capturing their login data, allowing for additional potential attacks against either the user or their business.
A final factor leading to a rise in mobile cyberattacks is the overall increase in the sheer number and types of devices a business needs to be aware of and secure. Beyond smartphones, businesses also need to be aware of any laptops employees may use outside the office or their homes, as well as tablets, hybrid devices, wearables and any internet of things (IOT) devices. Each of these devices pose various ways in which cybercriminals could attempt to breach a business or carry out an attack.
Did you know?: Fifty-nine percent of SMBs said they have been targeted more since introducing hybrid work environments, according to Verizon’s Mobile Security Index 2022 report.
What are common mobile cyberattacks?
Many of the most common mobile cyberattacks are well known cyber threats. Password-related attacks continue to be a major threat to mobile devices, according to Verizon. This includes a number of different attack methods, including the following:
- Credential stuffing: Attackers use usernames and passwords leaked from data breaches to attempt to log into other accounts. This assumes users reuse passwords, instead of using unique, strong passwords for each account.
- Brute forcing: Attackers use automated password-guessing software to enter millions of potential password combinations into an account. This method works only if accounts do not have multi-factor authentication (MFA) enabled and allow unlimited login attempts.
- Guessing attacks: Attackers guess a password based on information they are able to collect about a user, such as birth dates, anniversaries or interests such as favorite movies or sports teams.
Perhaps the largest threat to mobile devices are phishing attacks. According to Verizon, 83% of businesses experienced a successful email-based phishing attack in 2021, compared to 46% in 2020. Additionally, 53% of people encountered an unsafe link on a mobile device, and 18% of people clicked on that link.
Phishing attacks are particularly dangerous for mobile devices, as smaller screens make it harder to detect a potential phishing email. Additionally, mobile devices automatically truncate URLs and do not allow users to hover over links before clicking on them, making it more difficult to screen out well-written phishing emails. Behaviorally, users are more likely to also be engaged in distracting behaviors while using a mobile device, which could lower their awareness of attacks.
Cybercriminals are well aware of all of these shortcomings, and they have increasingly started to target mobile devices. According to Zimperium, 75% of phishing sites in 2021 targeted mobile devices directly. While less common than phishing, cybercriminals are also increasingly targeting mobile devices with malware. In 2021, Zimperium detected over 2 million new mobile malware samples being deployed against users. In the same time period, device management company Jamf found that organizations discovering malware installations on remote devices doubled to 6%.
Did you know?: According to Verizon’s Mobile Security Index 2022, human behavior was a contributing factor in 44% of mobile-related security breaches.
How can I prevent mobile cyberattacks?
Businesses need to take a multilevel approach to defending against mobile cyberattacks. While it is impossible to mitigate any threat entirely, the following steps can greatly increase both user and business security:
- Create an acceptable use policy (AUP) for company-owned devices, and explain clearly to employees what the policy states and why it exists
- An AUP should lay out what actions are acceptable on company-owned devices, such as whether an employee can check personal email, visit social media sites or conduct online shopping on the device. The policy should also state where an employee can use the device.
- Encourage employees to keep personal and professional devices, and use cases, separate
- This may mean telling employees not to connect their business email to a personal phone, or that certain actions are acceptable on a personal device only in certain situations. Regardless of the decisions you make, they should be clearly explained and align with the AUP.
- Consider opting for a mobile device management (MDM) solution if your business currently allows for a bring your own device (BYOD) environment
- This may mean providing employees with dedicated work smartphones and mobile devices, but it would allow for greater management of employee devices.
- If you opt for a BYOD environment, consider providing a stipend to employees in exchange for them using a personal device for business purposes. In return for the stipend, outline which security policies they are expected to follow on their personal device.
- While MDM solutions can help manage devices, they are not dedicated security solutions. For mobile security, businesses should consider implementing mobile threat defense (MTD) solutions
- Consider implementing a zero-trust model, which can help provide greater security for remote workers and business using cloud environments
- Use other standard cybersecurity methods, like enabling MFA whenever possible on accounts; using unique, strong passwords; using password managers; and using virtual private networks (VPNs) when connecting to business resources
Defending your business starts with education
Since one of the primary factors in a successful cyberattack is human behavior, it’s important that you educate your team about phishing, malware and other cyberthreats, as well as how they spread. Working with your staff to ensure cybersecurity best practices are the norm at your company can prevent costly data breaches that could, in a worst-case scenario, lead to the permanent closure of your business. Whether you’re on a mobile device or a desktop computer, always remember that cybercriminals are out there trying to compromise your network; by staying on top of cybersecurity trends and monitoring your team’s device usage closely, you can prevent them from being successful.