Author: Phil Muncaster
Date published: July 11, 2024
Small and medium-sized businesses (SMBs) are an increasingly attractive target for opportunistic cybercriminals. 72% of small businesses experienced a cyber attack in the past year, according to the 2023 Business Impact Report, with 42% losing revenue as a result. Threat actors will look for any unsecured endpoint they can find. Increasingly, as Verizon's 2023 Mobile Security Index (MSI) makes clear, this endpoint could be a mobile device.
SMBs are a target because threat actors gamble that they devote fewer resources to securing mobile devices but still have plenty of sensitive data to steal, and may have a low tolerance to extortion-related outages. Unfortunately, this combination of factors can have a devastating impact.
Research from BlackFog found that 61% of SMBs were hit by a successful cyberattack over the previous year, and 87% of these suffered two or more breaches. The most cited impact is business downtime (58%), followed by customer data loss (39%) and customer churn (33%). Securing mobile devices is important because those devices could otherwise provide hackers with a ready-made route to sensitive data stores and backend IT systems.
According to Verizon’s MSI, while the content stored on the phone is of some interest, the real value of compromising a mobile device comes from the potential to access the company's "crown jewels"—customer data, intellectual property and other valuable information.1
Data theft and ransomware are therefore the two most pronounced mobile device security-related threats facing your organization. They're usually combined in "double extortion" attacks in which threat actors try to both steal and encrypt sensitive corporate data. Although larger enterprises would seem to offer a bigger bang per buck, ransomware attacks continue to be the top threat action in data breaches, across companies of all sizes and industries, according to Verizon's 2023 Data Breach Investigations Report (DBIR).
According to the DBIR, the attack surfaces and profiles of enterprises and SMBs "share more in common than ever before." However, when it comes to securing mobile devices, several trends may impact SMBs more:
Allowing staff to use their personal device for work could be seen as a cost-saving measure that also keeps employees happy and productive. Yet, for the same reason, they may be more exposed to mobile cyber threats. Users may engage in risky behavior on these devices, such as unwittingly downloading malicious apps whilst failing to install appropriate security software. Mobile app threats increased by over 30% between the first half of 2022 and the first half of 2023, according to Lookout data cited in the MSI.2
If you are wondering which employees must take part in device security, the answer is clear—everyone. Nearly three-quarters (74%) of all breaches involved the human element, according to the DBIR. Social engineering is a potent threat to all types of organizations, but especially those that don't support their employees with comprehensive training programs. Only 43% of SMBs carry out security awareness training. Yet the same share of respondents blame their security issues on precisely this lack of training. Such training is especially important given that mobile devices may lack anti-malware protection, and their simplified interface can enable hackers to hide malicious intent more easily in their phishing messages.
While some large enterprises are now rolling back on pandemic-era commitments to remote working, for many SMBs the remote set-up still makes financial sense. Yet this can also create mobile device security risks if employees engage in unsafe working practices or their devices connect to unsecured home or public Wi-Fi networks. Two-thirds (67%) of remote workers reported failing at least once to fully adhere to cybersecurity policies, according to one study in the Harvard Business Review. As the MSI notes, personal devices being used by the owner or others, such as family members, may be used to click on suspicious links, visit malicious sites or unwittingly download risky apps.3
To mitigate these risks, the first step is to carry out an audit to understand how many personal devices are connecting to corporate resources, and what data and systems they're connecting to. Then, it's time to work out a BYOD policy according to your risk appetite. Your organization may even want to buy corporate-liable devices for some or all users.
Next, update security training and awareness programs to take account of mobile device security threats. Courses should be run continuously, but be comprised of short lessons that can be delivered to all staff.
Finally, consider the following rules for securing mobile devices:
Enable multi-factor authentication (MFA) protection in devices
Ensure remote wipe and tracking is on
Keep up to date with the device operating system and key software/apps
Do not connect to unknown Wi-Fi hotspots
Don't download apps from unofficial stores
Don't click on links or open attachments in unsolicited emails/messages
SMBs may find that mobile threat defense (MTD) and mobile device management (MDM) solutions are two useful ways for IT teams to mitigate the risks posed by unmanaged mobile use.
MTD is a bundle of tools designed to monitor for threats, suspicious activity and misconfigurations, which could lead to device compromise. Delivered through industry partners, Verizon's Mobile Threat Defense offerings provide a range of capabilities for threat defense at a device, network and application level.
MDM is a suite of solutions designed for IT administrators to remotely enforce and update security policy across all end-user devices to minimize cyber risks and enhance employee productivity. Verizon Mobile Device Management offers diagnostics, remote lock/wipe, mobile hotspot management and policy enforcement through a single portal.
Verizon’s Business Mobile Secure can also help small and medium-sized businesses stay protected and productive.
To find out more about the mobile security threat landscape, read Verizon's latest annual MSI white paper.
The author of this content is a paid contributor for Verizon.
1 Verizon, 2023 Mobile Security Index, page 5.
2 Lookout, Lookout Security Graph, 2023; cited in Verizon, 2023 Mobile Security Index, page 15.
3 Verizon, 2023 Mobile Security Index, page 21.