Ransomware is spreading: this is why it is important that smartphones for professional use are secure
Whether scheduling an appointment, checking data and emails while on the move, or communicating in real time with clients and colleagues, smartphones are essential for business. According to the German association BITKOM, one out of five employees already had their own mobile phone in 2016. Almost 75% of professional users are authorized unlimited access to their phones, as well as for emails and private conversations. However, the German Federal Office for Information Security (BSI) informs us that since these mobile devices (although convenient), are more than just a phone, and they pose a risk to the company’s computer security. Truly miniature computers, they are often in constant contact with the company’s internal network- and access all data from the outside. Anyone with unlimited access to surfing, reading emails, and installing applications can easily be contaminated by malicious software- and can infect the company’s entire computer network through the intranet.
At the same time, “cyber blackmail” has gained popularity among cybercriminals: Recently, hackers infect companies networks and erase entire databases. The only way to get the important documents back is to pay a ransom. According to a study by BSI, in 2016, a third of the companies surveyed had been targets of malicious files sent as attachments, or other cyber attacks during the course of six months- big companies, just like small and medium alike.
This scam is now being spread to smartphones by criminals. Professionals send a trojan in the form of an antivirus software, blocking all of the phone’s functions. It’s then necessary to purchase a “complete software,” for the phone to function again. Another malicious software claim that authorities have blocked the device because it contains adult content- such malicious software are cleverly distributed through portals offering pornography.
Arne Schönborn, president of BSI, warns that “even untargeted attacks as with current ransomware, could cause significant IT damage and jeopardize the company’s success.” BSI has found that the weak points are most often insufficiently secure internet protocols, hacked applications, and ineffective antivirus filters. The easiest way to avoid this is to configure the technologies so that no applications can be installed on the device – or only those that have been approved by the system administrator.
It is also possible to completely block internet usage outside of the company’s firewall. Password protection is equally vital, in the event that a phone is found in the wrong hands. Outside of the business, it is recommended to use dual-factor authentication, which makes it much more difficult to phish (deletion of passwords or PIN). Dual-factor authentication has the user identify themselves two times: on the device and by a random PIN that is transferred from the system to a second device, for example. In addition, experts advise classifying company documents for mobile devices so that truly sensitive data cannot be used or sent via smartphone.
Finally, staff training is necessary. Actually, the trojan “antivirus,” mentioned above, is not distributed through App stores but downloaded onto the smartphone by sideloading from alternative sources- in fact, high-risk areas similar to navigating pornographic sites, storing passwords or disabling the keypad lock. Yet, many users are still not aware. Companies need to make sure that regulations are clearly formulated and understood, and in the event that there is a breach, clear penalties are enforced. For this purpose, it may be useful to include computer security in an agreement, defining the objectives for each employee involved.