| |
Mobility Brings Securty Risks
Smartphones and other mobile devices such as tablets are increasingly used like personal computers. Did you know that they require the same security—such as antivirus software and encryption—now standard in PCs? Yet most mobile devices have the same lack of security as your personal computer had twenty years ago.
Mobile technology has rapidly changed the way we live, work and communicate, but we can’t let convenience sacrifice security. The problem is highlighted in these key findings in a 2011 McAfee and Carnegie Mellon CyLab report, Mobile and Security: Dazzling Opportunities, Profound Challenges:
- Almost seven in 10 organizations are more reliant on mobile devices than they were 12 months ago.
- Sixty-three percent of devices on the network are also used for personal activities.
- Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data.
- More than a third of mobile device losses have had a financial impact on the organization.
- Fewer than half of device users back up their mobile data more frequently than on a weekly basis.
- About half of device users keep passwords, pin codes or credit card details on their mobile devices.
- One in three users keep sensitive work-related information on their mobile devices.
- Ninety-five percent of organizations have policies in place in regard to mobile devices.
- Only one in three employees are very aware of their company’s mobile security policies.
Data that is stored and transmitted on mobile devices is at risk. As the value of data rises and mobile devices begin outselling PCs—as Morgan Stanley predicts will happen in 2012—the need for risk management and security measures becomes even greater. You may think it’s a no-brainer to say that the first and most important security measure is to make sure you don’t lose your mobile devices, but compare how people treat wallets as opposed to mobile devices; it would not be acceptable to lose a wallet as commonly as mobile devices are lost.
Your First Line of Defense
If you do lose your smartphone or other mobile device, how easy would it be for a stranger to find all the information stored on the device? Set your mobile device to lock, or time out, after a certain period of inactivity, requiring a password to get back in. You’ll want your password to be something hard for you to forget and easy to type since you’ll enter it frequently throughout the day, yet difficult for someone else to guess. Anything containing your name, information found on a driver’s license or a number as simple as “1234,” for example, is not a good password.
Your Second Line of Defense
Remote wipe, plus the password protection discussed previously, is the bare minimum protection recommended for mobile devices. Remote wipe means that if your smartphone or tablet is lost or stolen, you can remotely clear all of your data—including e-mail, contacts, texts, and documents—off of the handset, thus keeping that information out of the wrong hands. If your organization issues mobile devices, your policy should include immediate notification of the IT gurus so they can carry out this task. If you have a personal mobile device you want to protect, a simple internet search for “remote wipe” can lead you to more information.
Control apps
If your organization provides a smartphone or tablet for employees, you need to take control of apps, restricting their use and establishing a policy of mandatory notification if apps are added or removed. Browsing non-work sites or loading lots of non-essential apps increases the likelihood of introducing malware. The number of apps on mobile marketplaces contaminated with malware grew to 400 from 80 during the first half of 2011, according to a study by Lookout Mobile Security.
Be equally cautious with your personal mobile devices. When you install a third-party app, you grant it certain privileges. Those privileges may include access to your physical location, contact information (yours and that of others), or other personal data. Most of the time an app will be fine, but how do you know what its makers are doing with those privileges and your information? The short answer: You don’t. If you’re just trying to install a cool wallpaper, ask yourself why it needs access to your contacts and your location. Be judicious when granting permissions.
Mobile Business Sense
If you already provide smartphones or mobile devices for employees, or if you are considering doing so, following are some policies and procedures you should consider adopting. Make sure not only that you have a written mobile security policy in place, but that each employee has read and understands the policy.
- Require users to enable PIN/password protection on their phones.
- Require users to use the strongest PINs/passwords on their phones.
- Require users to encrypt data stored on their phones.
- Require users to install mobile security software on their phones to protect against viruses and malware.
- Educate users to turn off the applications that aren’t needed. This will not only reduce the attack surface, it will also increase battery life.
- Have users turn off Bluetooth, Wi-Fi, and GPS when not specifically in use.
- Have users connect to the corporate network through an SSL VPN.
- Consider deploying smartphone security, monitoring, and management software.
- Some smartphones can be configured to use your rights management system to prevent unauthorized persons from viewing data or to prevent authorized users from copying or forwarding it.
Common Sense Rules
Finally, anyone using a mobile device, whether company or personal property, should follow some common sense rules:
- Turn off GPS when not in use. Location services on mobile phones are increasingly popular, but having it turned on may mean people you don’t know can see where you are. This can lead to all sorts of issues, including revealing to criminals when you’re away from home.
- When surfing the web on your mobile using a Wi-Fi hotspot, follow the same rules as you would on a computer. Never use a ‘free’ hotspot that’s unsecure.
- Download anti-virus or anti-malware software for your mobile.
- If you plan to sell or recycle your mobile phone, ensure the memory is totally wiped. Go into the settings to carry out a Master Reset, which will delete all phone numbers, text messages and pictures.
- Beware of rogue apps designed to steal your personal details. Fraudsters often make them look like “free levels” of games or special offers.
- Remember that rogue apps can appear in legitimate app stores as well as at the end of links sent around via email or posted on websites and social networks. Read feedback before you download an app and if you’re unsure, check out the maker with a web search.
Technology is a powerful tool that should be utilized for the benefit of the employees and the organization, but only if we take time to recognize the risks and work diligently to avoid them. If you have questions or concerns about establishing a mobile security policy for your entity, contact your AMLJIA risk control specialist at 1-800-337-3682 for assistance.
|