Threats to the business use of mobile devices are real and exist across all elements of the mobile ecosystem. According to the Department of Homeland Security (DHS), due to “the enhanced capabilities that mobile devices provide, the ubiquity and diversity of mobile applications, and the typical use of the devices outside the traditional network boundaries requires a security approach that differs substantially from the protections developed for desktop workstations.”
The term “mobile device” refers to smartphones and tablets running mobile operating systems like Google’s Android or Apple Corporation’s IOS. Mobile phones and the subclass of smartphones represent one of the greatest advances in human communication in history. Businesses and organizations are increasingly adopting mobile technology compared historically to other technologies. According to the Global System for Mobile Alliance (GSMA), by 2020 adoption rate is expected to reach 5.6 billion, meaning that over 70 percent of the world’s population will have a mobile subscription.
Mobile devices are increasingly seen to represent an avenue to attack back-end systems containing sensitive business data whose compromise could adversely impact the operations, assets, or individuals of these small organization. Additionally, databases controlled by small organizations, in many cases, tend to hold tremendous amounts of personally identifiable information (PII) that could potentially be used to compromise the financial well-being, privacy, or identity of stakeholders.
Threats can range from advanced nation state attacks (which are becoming common), to organized crime using advanced fraud technologies like malware and ransomware, to simple theft of mobile phones. The threats to business users of mobile devices include call interception and monitoring, user location tracking, attackers seeking financial gain through banking fraud, social engineering, ransomware, identity theft, or theft of the device, services, or any sensitive data. This puts at risk not just mobile device users, but the carriers themselves as well as other infrastructure providers.
To combat these threats, there are five overlooked security measures businesses must have in place when using mobile devices:
1. Implement a mobile device policy
This is particularly important if your employees are using their own personal devices to access company e-mail and data. If that employee leaves, are you allowed to erase company data from their phone? If their phone is lost or stolen, are you permitted to remotely wipe the device – which would delete all of that employee’s photos, videos, texts, etc. – to ensure YOUR clients’ information isn’t compromised?
Further, if the data in your organization is highly sensitive, such as patient records, credit card information, financial information and the like, you may not be legally permitted to allow employees to access it on devices that are not secured, but that doesn’t mean an employee might not innocently “take work home.” If it’s a company-owned device, you need to detail what an employee can and cannot do with that device, including “rooting” or “jail-breaking” the device to circumvent security mechanisms you put in place.
2. Require STRONG passwords and pass-codes to lock mobile devices
Passwords should be at least 8 characters and contain lowercase and uppercase letters, symbols and at least one number. On a cell phone, requiring a pass-code to be entered will go a long way in preventing a stolen device from being compromised.
3. Require all mobile devices be encrypted.
Encryption is the most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that unlocks (decrypts) the data.
4. Implement a remote wipe software for lost or stolen devices
If you find a laptop was taken or a cell phone lost, remote “kill” or wipe software will allow you to disable the device and erase any and all sensitive data remotely.
5. Backup remote devices
If you implement step 4, you’ll need to have a backup of everything you’re erasing. To that end, make sure you are backing up all MOBILE devices including laptops so you can quickly restore the data.
While these five are a good start, many organizations that are heavily using mobile devices or are handling highly sensitive data such as credit card numbers, financial information, social security numbers or medical records need to be far more diligent about monitoring and securing all mobile devices.
For those of you who fit into that category, we have a special report that details several more security measures and strategies that you need to implement and know about that most IT firms don’t know or won’t tell you. For a free copy, simply call our office at 512-814-8044 or use our contact form.