How can the security of cell phones used by workers in the workplace be tested?
Companies can undergo specific security audits to test the security of cell phones used by employees in the workplace.
Threats to cell phones are becoming increasingly common and complex, with more severe consequences. This is according to the National Security Agency (NSA) of the United States, which has produced a best practices guide for citizens and workers to use cell phones safely. This is especially critical in the business world since security incidents can affect company information and business continuity.
For this reason, it is vital that companies test the security of cell phones that workers use in the workplace and implement good practices for using these devices, which are so important for the day-to-day work of professionals.
Below, we will explain the BYOD policy, MDM software and how to test the security of cell phones used by employees in the workplace.
What attacks against enterprise cell phones can malicious actors carry out?
An attacker could execute many attacks against an employee’s device to obtain confidential information or reach the corporate network. Listed below are some examples of attacks that could be carried out:
- Tricking the user through social engineering-based attacks.
- Installing malicious applications.
- Forcing the device to connect to a fraudulent access point.
- Exploiting the use of Bluetooth or NFC.
- Accessing the corporate network through a VPN connection.
The consequences of these types of attacks could be mainly the leakage of confidential information stored on the device and an attacker’s access to the corporate network. Once inside the network, the attacker could try to reach other internal equipment.
How can the Bring Your Own Device (BYOD) policy be implemented securely?
The BYOD policy allows an employee to use his or her personal device to perform work functions and store corporate information. This approach reduces the cost of providing employees with corporate devices and increases employee satisfaction by allowing them to use a familiar device and respecting their privacy.
BYOD policy can expose an organisation’s data to greater risk by allowing it to reside on a device over which it has no control. For this reason, this policy is often used in conjunction with Mobile Device Management (MDM) software, which allows companies to set multiple settings and restrictions on registered devices to increase their security.
BYOD on Android
To implement BYOD, Android offers the work profile, which allows the workspace to be isolated from the user’s workspace at multiple levels (storage, memory, etc.). This profile can be configured manually, although its real usefulness is observed when it is managed by MDM software.
BYOD on iOS
On the other hand, BYOD is implemented in iOS by installing a configuration profile consisting of a MobileConfig file containing multiple payloads and authorisation information. This profile can be obtained by logging in with an account managed by Apple Business Manager or by installing the corresponding file previously generated by a third-party MDM. In the latter case, the configuration profile is typically distributed via email, corporate website, or MDM application.
What do we get with a work profile?
Regardless of the operating system, MDM software allows you to impose restrictions on the device and the work profile and can, among other things:
- Require the configuration of a screen lock mechanism.
- Provide a whitelist of applications that can be installed.
- Prevent the use of copy/paste functionality between the user’s and work environments.
- Block the use of MDM on rooted or jailbroken devices.
A priori, the BYOD policy may be a security risk; however, if it is appropriately implemented using tools such as an MDM, it will be secure against possible attacks.
What essential tips should workers follow to prevent their cell phones from being attacked?
To prevent security incidents, it is recommended that companies and their employees implement some basic measures:
- Deploy robust password-based authentication mechanisms to unlock the device.
- Enable a second-factor authentication (2FA) in all applications that allow it.
- Avoid installing unofficial applications. Be especially careful with modified versions of premium programs (e.g. Spotify or YouTube without ads).
- Do not root/jailbreak devices that will contain sensitive information.
- Educate the entire workforce on security to avoid social engineering attacks, such as smishing and qrishing.
- Use antivirus solutions and install the latest operating system and application updates.
How is the security of a company’s employees’ cell phones assessed?
In the field of cell phone security, mobile application audits carried out by app developers play a key role. Beyond this kind of audit, companies can analyse these devices’ security through a security audit aimed at BYOD implementation. This typically translates into auditing the configuration of the MDM software used.
The security tests performed in this type of audit are focused on trying to breach the MDM configuration to circumvent the policies imposed by the company or to evaluate the basing of this to verify whether the adopted configurations may pose a risk or impact to the company. Some of the most common security tests are:
- Rooting an unauthorised device.
- Rooting/jailbreaking the corporate device.
- Installing unauthorised applications in the work environment.
- Connecting to the device via USB.
- Accessing the corporate network from an external device.
Performing this type of audit helps companies to determine to what extent the implementation of BYOD is secure and whether the settings adopted on the MDM turn out to be excessively permissive and may cause some kind of risk, which will allow the company to modify or add new security settings during the device’s deployment.
In short, companies that employ employees who use cell phones for professional purposes should test the security of these phones in the workplace. This will increase the security level of these devices, mitigate the detected weaknesses, and prevent cyber-attacks.