African enterprises grapple with growing mobile phone security threats

Technology leaders in African enterprises face growing mobile security threats due to an increase in mobile phone penetration, the massive move to remote work brought about by the pandemic, and an accelerating rise in mobile services.

South Africa, Kenya and Nigeria in particular are seeing an increase in mobile phone malware, according to cybersecurity firm Kaspersky. In Kenya, 7% of users were affected by malware last year, and 13% by adware, according to a recent Kaspersky report. In Nigeria, the situation was similar, with 7% of users impacted by malware and 17% by adware. In South Africa, 4% of users were targeted with malware and 7% with adware, Kaspersky said.

Mobile banking has also become a major target for cybercriminals in regions like East Africa. The growth of mobile banking has recently outperformed that of traditional banking services such as deposits, withdrawals, transfers and balance inquiries.

Some companies in Africa have begun using mobile money as a payment method for expenses, creating a source of vulnerability that attracts exploiters. Its convenience is attractive to companies but great care is advised by security experts.

BYOD policies open mobile phone security risks

The use of mobile phones in the workplace has become a concern along with the increase in mobile phone malware, according to Geoffrey Cleaves, head of Secure-D at Upstream.

“With the global pandemic, more and more employees are accessing their corporate networks from their mobile devices. An estimated 6% of these devices worldwide carry malicious software. Imagine if 6% of workers’ PCs were infected as they connected to the corporate VPN? It would be an unacceptable risk for corporations,” he told CIO Africa.

Upstream’s report, A Pandemic on Mobile, said the company found that 11% of Android devices in Nigeria had malware-infected apps. Malware can become an entry into a company’s intranet when infected devices are used within the company’s network, more so as an increasing number of employees work from home and rely on their own equipment to get work done.

The move to remote work comes with a parallel rise in BYOD (bring your own device) polices, and working from home appears to be a trend that is here to stay. KnowBe4’s 2020 African Cybersecurity Research Report found that found that nearly 50% of the respondents said they will continue to work from home, and 24% of  the respondents indicated that they were affected by cybercrime while working from home.

George Mutune, a Nairobi-based Cybersecurity Specialist at Ignyte Assurance Platform, says BYOD (bring your own device) is inevitable in today’s world.

“Realistically, the option of prohibiting BYOD entirely is unfeasible, considering that many companies allow employees to use their devices for business purposes to reduce hardware and software costs,” Mutune said.

He adds that enterprises can help employees follow the right approaches to identifying BYOD risks. Corporate policies should provide acceptable-use guidelines, highlighting the applications and assets remote employees are allowed to access from their devices. Organizations also can define policies that specify permitted device types, and establish security controls for all devices.

Mobile users lack awareness of security threats

The KnowBe4 report found out that most employees are oblivious of mobile phone dangers, especially in the use of banking and finance applications.

“People are still taking risks, as they don’t fully understand what constitutes a threat and how their use of mobile devices to manage their banking and finances can impact their security posture. They are vulnerable, as they don’t realise the problems posed by the security issues they don’t know or know to recognize,” the report said.

The use of multifactor authentication is still low in African organisations, according to KnowBe4. More so, the lack of strong passwords and regular OS and application updates still pose a threat to organizations.

Nevertheless, awareness of security practices is on the rise. KnowBe4 observed that in 2019, less  than 50% of respondents were aware of what multi-factor authentication was but in 2020, the number of people correctly identifying it rose to 61.11%, showing a shift towards more awareness around security hygiene and password management.

The basics of security for enterprise devices include strong authentication, Mutune said. “It is vital to restrict employees to using native security features, such as requiring strong passwords to access sensitive information and cloud applications,” he said.

Messaging apps allow for social engineering

Social engineering has also been identified as being widespread across Africa. According to Mutune, social engineering is the main tactic that hackers use to exploit the weakest link in the cybersecurity chain, which is the human. This is all in a bid to steal personal and financial information.

Most employees interviewed in the KnowBe4 survey acknowledged that WhatsApp was the number one social media platform they use in their professional work. After email, WhatsApp has been identified as a weak link that hackers use to penetrate organization’s networks, through infected links and files. Nearly 87% of mobile users use email for work, closely followed by WhatsApp with 85%, the report denoted.

Employers are constantly under pressure to plug all loopholes in their systems and education is a formidable way to close these gaps. Knowledge on how to spot social engineering tricks and even recognize phishing scams could enable employees to stem attack in their company’s networks.

Enterprises urged to set mobile security policies

It has become critical for organizations to train employees around security best practices and the various methodologies used by cybercriminals, security experts say. This not only helps to minimise the growing risk of human error that’s allowing threats to bypass their complex and powerful security systems but also helps to protect their employees.

“Companies need to exert control over all devices which access corporate data, personal mobile phones included. There are increasing cases of ransomware making its way into corporate networks via mobile,” said Upstream’s Cleaves.

“Mobile malware is known to syphon personal data, which could be leveraged by bad actors for spear phishing attacks against corporations. Companies need to be mindful of this when selecting their corporate mobile network operator. Not all operators are equal when it comes to security,” Cleaves said.

Apart from employee awareness training, organizations should deploy proper security tools with behaviour-based and AI-based, anti-phishing capabilities. Such solutions warn you and, in some cases, prevent you from opening malicious websites and attachments, Mutune concluded.

Cybersecurity firms offer tips for mobile safety

Enterprise tech leaders can use common security tips from cybersecurity firms to help set policies and guidelines for employees, especially those who work remotely.

Upstream’s Secure-D suggests the following:

• Install applications only from trusted sources, like the Google Play Store. Read reviews of the apps before downloading, check developer details and requested permissions.
• Regularly review the list of installed apps on your mobile phone. Make sure you are aware of what’s on your phone, consider uninstalling apps that are not from trusted sources, and in particular, uncheck “install from unknown sources” on Android phones
• Keep OSes up to date. Upgrade regularly to ensure that the latest security fixes are in place
• Keep the number of apps on your phone to a minimum, or only what you absolutely need. This helps reduce the risk of especially older, out of date apps, being compromised.

On its part, Kaspersky offers the following tips:

• Create a strong password: Strong passwords reduce the risk of phones being compromised if they fall into the wrong hands.
• Be wary of text messages. Text messages are an easy target for mobile malware, so it’s advisable for users not to send sensitive data such as credit card details or important private information by text, Kaspersky says.
• Check your browser for the lock symbol. The lock icon in the browser’s address bar indicates that you are on a secure and reputable connection. In particular, check for this when entering personal data such as your address or payment information.