Internet of Things (IoT) technologies are revolutionizing the way many businesses operate by boosting efficiency, improving products and enhancing experiences for customers and employees. But as is the case with many innovations, unforeseen security problems emerge as scammers seek to exploit their vulnerabilities.

Connected devices present additional challenges for organizations that seek to offer employees the flexibility to work from anywhere, whether that’s while traveling for business or logging in from home. Many people who avoided going to the office during the onset of the pandemic have continued to work from home a few days a week or full time. More recently, Russia’s invasion of Ukraine coincided with a surge in cyberattacks that has alarmed security experts worldwide.

“IoT-enabled connected devices expand your company’s attack surface, putting your company’s core systems and data at risk,” according to a report from an analyst team led by Merritt Maxim, vice president and research director at Forrester Research. “Smart-home device security is a growing concern not just because of the potential privacy and data leakage, but because the surge in remote work since 2020 means these devices may represent a threat to enterprise data and networks.”

Businesses are right to be concerned about security, considering that IoT and mobile devices are two of the biggest sources of data breaches during an external attack. Almost a third (31%) of enterprise security decision-makers who experienced a breach said IoT devices were targeted, followed by employee-owned mobile devices (29%) and company-owned mobile devices (27%), Forrester found in a survey. 

Because some connected devices have limited processing power, they may lack a strong defense against an external attack. Some of the security weaknesses can also be attributed to the complexity of integrating a variety of connected devices that use different communications methods and protocols. A device may transfer data through MQTT, AMQP and HTTPS connections, or use a different radio frequency when deployed in another region. Anytime systems become more complex, they also can result in misconfigurations that leave them vulnerable.

Responsibility for Securing Connected Devices

Securing connected devices may require the combined efforts of different information technology teams throughout an organization, including experts in Unified Endpoint Management (UEM) and Mobile Device Management (MDM). 

“These are typically administered by infrastructure and operations teams,” said Dionisio Zumerle, an analyst at Gartner. “However, security teams are involved in defining the security requirements for the tool and developing the logical security policies that the tool has to enforce.”

More mature organizations may have additional security tools to monitor and detect threats, and misconfigurations and impose more granular security policies, he said.

“The responsibility for connected-device security naturally falls within the security teams,” said Adam Weinberg, co-founder and CTO of mobile security firm FirstPoint Mobile Guard.  “However, for IoT enterprises that rely on the operation of the connected devices, IT and operations would be involved as well.”

Growth of “Shadow IT”

As companies provide greater mobile connectivity to employees, customers and suppliers, they are becoming more reliant on systems they don’t directly control. Among professionals who are responsible for the procurement, management or security of mobile devices, 82% said that their company will rely on networks it doesn’t own – such as home broadband and cellular – more than ones it does, Verizon Communications found in a survey. 

Alongside this growing dependence on outside networks is the continuation of a trend to let employees use personal devices for work. Recognizing that many people don’t want to carry two or more smartphones, companies may have a “bring your own device” (BYOD) policy that also lets workers control which productivity apps they like the most.

This migration toward “shadow IT, ” which Gartner has defined as “IT devices, software and services outside the ownership or control of IT organizations,” has become a bigger concern for businesses. More than four out of five (83%) respondents to Verizon’s survey said they were worried about the rise in shadow IT. The trend may become a source of resentment among employees if companies confront mobile security threats by taking away freedoms they had granted.

There are basic ways for companies to protect sensitive data, but only 9% of survey respondents practice four:

As for employees who want to use their personal connected devices at work, it’s important to have a strategy to delineate that usage to prevent data leaks.

“Communication with users is important,” said Gartner’s Zumerle. “It helps to explain to them what the enterprise can and cannot see on the device, and how this information will be used. Nowadays, there are ways to natively separate business and personal data, and for management and security controls to be less invasive on the users’ privacy.”

Potential Risks From Mobile Apps

Mobile apps can provide a broad range of functionality for businesses, but any security failures can be potentially devastating. The loss of sensitive data, exposure of internal systems, fraud and fines for not complying with the law are among the key risks associated with mobile apps.

“Often, these are public-facing apps that may be the primary or only way an organization is able to interact with its customers or partners,” Zumerle said in a research report. “Because they can run on any mobile device, these apps are built to run in a hostile environment, under the control of an attacker.”

While device theft, malware and man-in-the-middle (MitM) eavesdropping on unsecured networks are key threats to data security, mobile apps can have their own vulnerabilities. Apps typically communicate with a company’s back-end systems, potentially exposing application program interfaces (APIs) and enterprise databases to external attacks. API scraping, which is the unauthorized usage of large amounts of data extracted through the interface, is one potential vulnerability. Denial of service (DoS) attacks that attempt to overload a company’s system with repeated requests for a network resource are another possible consequence of inadequate security.

Businesses may face trade-offs between security and the performance of their apps, including native, web-based or hybrid versions. It may be tempting to convert an enterprise web application into a mobile web app that’s more accessible on wireless devices. But a mobile app may use a lot of the device’s processing power with the encryption of cached content, reducing performance speed.

Developing a native app that works as an independent program on a mobile device can provide more security features. Those include device attestation to verify the authenticity and integrity of hardware and software, which is especially important for financial transactions or IoT connectivity. A key disadvantage of native development is the maintenance of separate apps for Android or Apple platforms.

“An added challenge is that often mobile apps are built and delivered independently through a business unit, without IT support or security involvement,” according to Gartner. “To ensure they are involved, security leaders must communicate their policy to the various lines of businesses.”

Rogue Apps Rising

Companies also need to be aware of the growing threat from rogue mobile apps, which are malicious apps that impersonate trusted brands to dupe people into disclosing sensitive information. Rogue mobile apps made up 39% of fraud attacks worldwide in the third quarter of 2021, according to the most recent information from cybersecurity firm Outseer. The number of such attacks surged 49% from the prior three-month period.

“Fraudsters are focusing their efforts on social engineering, fake social media profiles and fake mobile applications as these tools are effective for quick cash out,” according to Outseer, which observed that rogue mobile apps were more prevalent than cyberattacks with Trojan horse malware.

Outseer recommends businesses monitor app stores for copycats, and request that Apple or Google remove them immediately. Companies also can take steps to warn employees and customers to be aware of potential threats.

Evaluating Wi-Fi Risks

As workers resume business travel, come into the office more frequently or work in public places like coffee shops, they’re more likely to use public Wi-Fi networks. They’re also more likely to face security threats. More than half of the mobile security professionals surveyed by Verizon said their company allows the use of public Wi-Fi, and only 8% of them take steps to prevent it.

“At best, users are swapping privacy for convenience,” according to Verizon. “At worst, they could be compromising credentials to other systems and exposing devices – not just the one they’re using, but everything it can connect to – to malicious code.”

The number of threats related to Wi-Fi had dropped throughout 2020 as many people worked from home and were less likely to use risky networks. However, these home-based connections had their own risks. Only 26% of workers said they changed their home Wi-Fi’s default password and 22% changed their router’s default password, according to a global survey by cybersecurity company Proofpoint. Leaving these passwords unchanged can be problematic for people who own routers with the same factory settings as others.

Almost all companies (99%) said they provided security awareness training to employees, though Proofpoint found that many topics were not covered. Only 44% of survey respondents said they had discussed Wi-Fi security, while 43% had offered training on mobile device security, according to the survey.

“It’s clear that many users don’t have a strong grasp of fundamental Wi-Fi practices,” according to Proofpoint. “Small changes can minimize risk. So, if you haven’t advised your workforce on how to close security gaps in home Wi-Fi, we suggest making the effort in 2022.”

Future of Mobile Threat Defense 

Amid the ongoing security hazards that businesses confront, a variety of cybersecurity companies are developing mobile threat defense (MTD) products to prevent and detect threats to mobile networks, apps and Android and Apple devices. MTD solutions can help vet apps for acceptable behavior and generate lists of permitted and blocked apps. These preventative measures are especially significant as mobile apps interact with IoT systems and devices.

Importantly, the defense measures can block mobile phishing attacks that try to trick people into sharing login credentials, credit card numbers and other sensitive information. These kinds of attacks surged at the beginning of the pandemic as scammers targeted people who were spending more time with their connected devices. The smaller screen sizes of smartphones made their users especially vulnerable to phishing attacks. It was more difficult to tell whether an email, text or website link came from a legitimate business or an impostor. 

MTD solutions can help businesses implement zero-trust network access (ZTNA) and extended detection and response (XDR) systems. ZTNA enforces specific rules for access to applications from remote locations and devices, while XDR works to speed up security measures by integrating protection among a wider range of devices.

“MTD can enable ZTNA on unmanaged iOS and Android devices, making it suitable for BYOD and work-from-home scenarios,” Gartner’s Zumerle said. “This can be on a per-application basis so that when a user launches an application on a device, the application allows access only when MTD is running on the device.”

Must-Have Mobile Security

Mobile security is increasingly necessary as more businesses decentralize their operations, not only by allowing employees to work from home more often, but also when implementing IoT technologies with connected devices. As beneficial as this connectivity can be, it exposes businesses to more threats from external attacks.

“Recent events make it clear – everyone and everything is vulnerable to a cellular network hacking attack,” FirstPoint’s Weinberg said. “As a result, enterprises and government agencies are deploying cellular IoT management and security solutions to maintain control over the most challenging type of end-point device: connected assets.”

A variety of protective measures can help these organizations to mitigate external attacks on their sensitive connected infrastructure. Training remote workers to be more mindful of Wi-Fi and home network security is one key step, along with adopting strategies such as MTD, ZTNA and XDR. These more sophisticated tools can help to protect customers, employees and valuable equipment.