Employee smartphones, a pack of risks in a pocket. How to minimize your business’ attack surface

Roman Cuprik

With proactive prevention, companies can mitigate threats from mobile devices before they can do wider harm.

When intelligence services were trying to infiltrate companies or institutions during World War II and the Cold War, they needed to come up with some very smart ideas. They disguised cameras as coat buttons, hid transceivers in suitcases, and even tried to create a robot dragonfly with a microphone!

Today, when people want to snoop and get around a company’s defenses, they just need to get inside your employees’ smartphones. Nearly everybody has one, and many are casual about their security. Though it’s true that it is rare to see malware spreading from a phone to company laptops, a compromised phone is still a threat if it is connected to the company’s internal network or when attackers steal an employee’s credentials, sensitive corporate data, or banking information.  

Considering how small those devices are, the threat landscape they create is disproportionally huge: A single phone contains several devices, such as a camera, microphone, and GPS tracker, but what is even more serious is that these components and many of the applications hosted on the phone can be abused to steal sensitive information from employees and to serve as an initial attack vector for cybercriminals to further harm a company.

Some businesses deal with this by using mobile device management (MDM), imposing strict rules on their corporate devices and allowing employees to use only a handful of apps. However, most businesses are either small or midsize, and their security may struggle to keep enforcement tight.

ESET researchers could write books about malware that threatens smartphones and its potential harm to businesses. That is why ESET, a global leader in cybersecurity, has introduced ESET Mobile Threat Defense (EMTD) as a part of its latest B2B offering.  To improve their prevention capabilities, users of ESET PROTECT Advanced and higher can now enjoy one free mobile device seat per one paid seat for other devices. 

Shortly after the successful launch of the ESET’s Mobile Threat Defense module, ESET was included in Forrester’s Mobile Threat Defense (MTD) Solutions Landscape report, Q1 2024. Forrester, a respected analyst firm, provides an overview of 16 vendors in the field, including ESET, which, in our opinion, makes ESET a valuable player in this established market.

What threats are out there?

From the beginning of 2020 until the end of 2023, Android malware detected by ESET telemetry rose by 222%.

For example, last year, ESET researchers discovered two active campaigns targeting Android users distributed across several app stores and dedicated websites. 

The threat actors patched the open-source Signal and Telegram apps for Android with malicious code that ESET researchers have identified as BadBazaar. The malicious apps went by the name Signal Plus Messenger and FlyGram, and their purpose was to exfiltrate user data, such as contact lists, call logs, and the list of Google accounts.

Signal Plus Messenger is even more dangerous than FlyGram with its unique capability to spy on the victim’s communications in the original Signal app. Such sensitive information could be used for further spear phishing attacks against business officials.

A similar case was covered in June 2023, when ESET researchers identified an updated version of Android GravityRAT spyware. It was distributed within the malicious but functional messaging apps BingeChat and Chatico, which were both based on the OMEMO Instant Messenger app. This particular spyware can exfiltrate call logs, contact lists, SMS messages, the device location, basic device information, and files with specific extensions, such as jpg, PNG, txt, pdf, etc.

And this is just the beginning. Smartphones can be attacked in numerous ways that put companies’ finances and data in danger, such as through banking trojans, phishing, vulnerabilities, or physical theft.

SMBs are more vulnerable

Small businesses are often considered to be the backbone of national economies. In the United States, small businesses (defined as businesses with up to 500 employees) comprise 99.9% of all American businesses.

Authorities in the United Kingdom define small businesses as those with 10 to 49 employees and medium businesses as those with 50 to 249 employees. Similarly, more than 99% of all U.K. businesses are small and medium-sized businesses (SMBs).

Being cheaper and simpler to manage than issuing business devices, a Bring Your Own Device (BYOD) policy is often the number one option for SMBs. Some may also take a hybrid approach, providing corporate devices only to chosen employees. Without proper security, this comes with risks.

Of companies opting for BYOD, 48% say they have seen malware introduced through an employee’s personal phone, and just 4 out of 10 have MDM deployed, according to a Samsung 2023 survey.

And human error is a huge factor. Several recent studies show that more than 80% of data breaches involve a human element. Specifically, the most common mistakes contributing to cyber incidents are employees’ poor password hygiene and misuse of personal email.

However, we are not here to put the blame for every cyber incident on an average employee; after all, IT professionals can make some of the most common mistakes too. For example, half of them admitted to reusing the same password in a Ponemon Institute 2020 study.

Moreover, SMBs are less eager to invest in employee training, according to a survey conducted by the U.K. Department for Science, Innovation and Technology in 2023. For example, only 28% of surveyed small businesses conducted awareness training, in comparison with 77% of large businesses. 

The same survey found that SMBs often also lack properly educated senior managers: “Although we have senior managers who are good at the role, they don’t have awareness in cyber security. I try to ensure they have a basic understanding, training, and knowledge in it. But they are focused on the day-to-day,” said one of the participating human resources administrators working for a medium business.

Target mobile threats to minimize attack surfaces

Considering these threats, implementing MDM is a huge step forward. For example, ESET Mobile Threat Defense gives administrators the option to monitor and control applications for both Android and iOS. EMTD is part of ESET’s cloud and on-premises unified management console ESET PROTECT, so no additional management console is needed.

With endpoint protection included, EMTD also provides antivirus and anti-phishing features, giving businesses more cyberattack prevention capabilities.

Both are also necessary when opting for a Zero Trust approach, an increasingly popular strategy in which the company verifies every account or device before allowing it to connect to its network. 

See these ESET Mobile Threat Defense key capabilities and features:

  • Security: The security features range from anti-malware, anti-phishing, anti-theft, device security to control over web access, and much more.
  • Management: Management includes remotely wiping devices, restricting application installs, preconfiguring devices for users, and other items related to IT management.
  • Multiple OS: Mobile protection typically covers Android and Apple devices, the two most widespread mobile operating systems. As these operating systems are different, mobile protection capabilities can also vary between them.
  • Single pane of glass (SPOG): EMTD is natively integrated into the ESET PROTECT platform, and there is no need for another console or management platform.
  • Remote deployment: IT administrators simply selects employees with corporate devices, and they will automatically receive a QR code to then download ESET protection. Simple as that!  
  • Seamless synchronization with cloud management platforms: For streamlined enrollment of mobile devices, ESET supports Microsoft Intune, Microsoft Entra ID, VMware Workspace ONE, and Apple Business Manager.

Investing in prevention to avoid crisis

According to the 2023 ITRC Business Impact Report, nearly half of the surveyed U.S. SMBs that experienced a data breach estimated their financial losses as being up to $250,000, another 26% calculated their losses as $250,000 to $500,000, and another 10% of SMBs estimated their losses could reach $1 million.

Seeing these numbers, it is clear that the phrase “an ounce of prevention is worth a pound of cure” also applies to cybersecurity. And that is not all: One-third of those companies also experienced loss of customer trust after a breach.

MDM with endpoint protection is always a great option to avoid such damage by decreasing your attack surface and possible risks, despite a lack of employee awareness training. Even better is that device management and protection can be operated from a single user-friendly platform, saving IT professionals precious time.