08/15/2016 01:35 EDT | Updated 08/15/2016 01:59 EDT

3 Strategies SMBs Can Take To Strengthen Mobile Security

close up of businessman holding mobile phone.
Betsie Van Der Meer via Getty Images
close up of businessman holding mobile phone.

Today, employees and organizations want more flexibility and work-life balance. They want to work anytime, anywhere. But they also want privacy and information security, at a time when cybercrime is a growing concern.

According to Mobile Security and Risk Review, Second Edition (Q2 2016), published by MobileIron, mobile threats are increasing, due to lax security practices of public and private organizations. MobileIron's lead architect, James Plouffe, in an interview, said organizations are "alarmingly complacent" regarding their information security. "The velocity of mobile attacks is increasing, but the latest data shows that enterprises are still not doing the things they could be to protect themselves."

Organizations and their employees can reduce the mobile threat using three strategies.

1) Secure Mobile Phone Operating Systems

The longer an operating system is on the market, the more vulnerable it is. Today, criminals use mobile phone malware to track a user's location, take over cameras and access any stored data like text messages, contact lists, photographs and passwords. Android phones currently account for 96 per cent of malware attacks because they are more open and less controlled.

Telco carriers and manufacturers need to tweak each installation and customize each phone model. This delays OS updates. According to Marc Goodman, author of Future Crimes, most Android users do not have up-to-date device patching for the newest OS. Goodman says that if Android users upgraded to the latest version of their mobile phone operating system, 77 per cent of security threats could be eliminated. Criminals look for security by targeting such users. Security firm Symantec predicts that malware threats targeted at Apple will increase in 2016 due to the popularity of the devices.

2) Use Reputation or Mobile Threat Prevention tools

Both Google and Apple stores have more than one million apps available. According to the MobileIron's Q4, 2015 report (Mobile Security and Risk Review), less than five per cent of enterprises have deployed an App Reputation or Mobile Threat Prevention solution. They help to reduce risky and malicious apps and other device vulnerabilities.

Additionally, EMM (Enterprise mobility management) apps provide data monitoring and cloud access features to further minimize data leakage. Goodman writes that by 2013, more than 42,000 apps in Google's store we identified as having spyware and information-stealing Trojan programs.

Recent mobile attacks include:

  • Android GMBot - remotely controls infected devices and tricks victims into entering banking info.
  • AceDeceiver iOS malware - intended to steal a person's Apple ID. Release to app store in late 2015, disguised as wallpaper.
  • SideStepper iOS "vulnerability" - sidesteps the normal app approval process by tricking user into installing a malicious configuration profile.
  • Marcher Android malware - mimics bank web websites and tricks users into entering login information through ecommerce websites.
  • XcodeGhost - a variant of malware that steals device and user information.

3) Educate staff about importance of mobile compliance requirements

The weakest link between a cyber criminal and their organization is an employee who unknowingly compromises their device. Companies need to better communicate consequences of a data breach when compliance requirements are not followed.

Compromised Devices

An out of compliance or compromised mobile device costs companies more when a data breach occurs. According to a survey done by the Ponemon Institute in 12 countries, the average cost of a data breach is $4 million, 29 per cent higher than 2013.

Missing Devices

MobileIron reports that 40 per cent of companies had missing devices in early 2016. Missing devices include stolen, lost, not in use or turned off devices for an extended period of time. The typical resolution for a missing device is to determine the actual reason for an inactive device as soon as possible. If the device is lost or stolen, it must be quarantined.

Out of Date Policies

Out of date policies occur when IT administrators change a policy that does not propagate to an end user device. Companies with out of date policies increased from 20 per cent in Q4 2015 to 27 per cent in Q2 2016. When an employee device has an out of date policy, it should have restricted use until resolved.

Don't delete Enterprise Mobility Management app

As mentioned, EMM apps help monitor information and safeguard threats. According to MobileIron, the incidence where a company's EMM app was removed for various reasons for one more devices rose from five per cent in Q4 2015 to 26 per cent in Q2 2016.

The number of global mobile phone users is forecast to reach 4.77 billion in 2017. The opportunity is clear for criminals to target users and organizations with lax security standards. Organizations and employees must remain vigilant and follow security strategies that maximize their privacy and data protection.

Follow HuffPost Canada Blogs on Facebook