21/10/22

EU Cybersecurity Month: mobile devices can pose a risk to your business

The EU Cybersecurity Month (“ECSM”) is the EU’s annual awareness campaign that takes place every October across Europe. Through this initiative, European institutions aim to raise awareness about cybersecurity threats, promote mitigation action and share best practices.

CMS Belgium fully supports this campaign. We are a proud partner of the Centre for Cyber Security and the Cyber Security Coalition in Belgium’s national campaign this year on mobile malware. This type of cyberattack could have an adverse impact on the confidentiality, integrity or availability of the mobile device and could have a ricochet effect on your company.

The ECSM is a good opportunity to practise your cyber hygiene

Background 

We increasingly depend on mobile devices. Many companies embrace the idea of “bring your own device” (“BYOD”) policies and allow employees to access corporate networks using personal devices. This potentially introduces unknown threats into your business. Indeed, staff are not always aware of the dangers of using mobile devices. Cybercriminals use this to their advantage to gain access to sensitive information or to just do damage. Examples of mobile device malware and these attacks are also in the news.

Staying secure for your company means recognizing your risk, understanding common threats, and following some best practices. This article provides you with tips and tricks to improve your mobile malware protection.

What is mobile malware? 

Mobile malware is malicious software (pieces of code) that targets mobile devices (smartphones and tablets), with the goal of gaining access to personal and/or confidential (sensitive) data. This malware is programmed to cause damage. Examples of such malware include viruses, worms, banking malware, Trojan horses, ransomware, and spyware.

Impact and risk – why does it matter? 

Mobile malware is a serious threat for your company as it renders your IT systems vulnerable to cyberattacks. Even though mobile devices can be hard to fit into a traditional network or data security model, they need to be considered. A lot of business transactions and information are stored online. This may be in the cloud or on public-sharing platforms and can be accessed via mobile devices. One breach through a personal device can potentially lead to widespread infection and data loss. Therefore, companies need to treat mobile devices in the same way as they treat servers and other computers.

The primary goal of mobile malware is to steal information from these devices (e.g. usernames, contact directories, telephone conversations, passwords for email accounts or bank accounts, credit card numbers, SMS messages, video files and location information) and/or control them to perform any action cybercriminals want (e.g. mining cryptocurrencies). This information can then be forcibly encrypted with ransomware (i.e. demanding that a company pays a ransom before they can access their information again).

Cybercriminals may then use this stolen information for various malicious acts, such as using your bank details to usurp your banking identity; selling your confidential information; sending links containing other malware to everyone in your contacts; or exposing your company data.

Make your staff aware 

Cybersecurity awareness training is a key priority in a hybrid working environment. Enrolling your staff on cybersecurity training or e-learning courses will lead to more highly skilled employees who are unlikely to expose sensitive information. Campaign posters are also very useful supplements to training courses. Simulating a cyberattack, and monitoring how your staff respond, is also a good test.

Having a proper device security policy in place will ensure that employees are aware of potential threats and the best practices to keep these threats at bay, especially in companies that make use of BYOD.

Cybersecurity tips and tricks 

Here are some tips and tricks to keep your mobile device free of malicious code and keep your company secure:

  • Keep all operating systems and software up to date with the latest versions. Every app has vulnerabilities that potentially allow cybercriminals to harm or take control of your devices. Fortunately, these vulnerabilities are detected and repaired (patched). If you are not regularly updating the software on your phone, your device will be vulnerable.
  • Install apps from trusted sources only (Google Play, App Store) or official vendors (e.g. Samsung, Amazon). This ensures that the apps are legitimate.
  • Back up your data.
  • Implement a BYOD policy explaining, among other things, that mobile devices and their content could pose dangers to your network.
  • Don’t click on links or attachments in unsolicited emails or text messages, even if they look realistic. Always be very careful when you receive an e-mail or a text asking you to download an app.
  • Encrypt your data.If you have sensitive data on your mobile device, make sure it is encrypted. It will then remain secure, even if malware steals it.
  • Log out of websites or apps after you have made a payment.
  • Don’t jailbreak or root your device (e.g. do not modify your mobile device in a way that circumvents the default protections).
  • Use secure Wi-Fi. Using password-protected Wi-Fi connections keeps unwanted third parties from carrying out man-in-the-mobile attacks between your device and your intended web destination. Whenever possible, use a VPN connection.
  • Turn off Wi-Fi, location services and Bluetooth when not in use.
  • Avoid giving out too much personal information. Installing an app often requires access to other personal data (such as pictures, contacts, or location). Allow this access only if this data is necessary and useful for the installation of the app.
  • Install a mobile security app (e.g. anti-virus software).

Tom De Cordier
Partner, Brussels

Thomas Dubuisson
Senior Associate, Brussels

dotted_texture