Mobile phones and devices have proved indispensable — they’re our calendars, our connection to the social world, and at times, our workstation. While this is great for the traveling salesman or the employee on the go, for IT departments, mobile devices constitute one collective security risk.
Think about it, your phone probably has a 4- to 6-digit passcode that allows full access into any and all the apps you have running. Do you communicate with your coworkers through a mobile app, like Slack? Do you have your work email connected to your phone?
If you’re nodding along in horror, don’t worry. Just because you and the rest of your company use mobile devices throughout your workday doesn’t mean that all your company’s data is currently being absorbed by some basement hackers. But, to ensure this is not even a remote possibility, let’s discuss mobile device management best practices.
Assess your mobile security
Seven Mobile Device Management Best Practices
If you’ve yet to put together a security strategy for the mobile devices being used in the workplace, consider these 7 MDM best practices to get your office up to security standards.
1. Mandatory Anti-Malware
Most people have heard of the terms malware, ransomware, computer virus, bug. But to those who don’t work in data security, encryption, or general IT, these words are more dramatic than they are functional. Bad, obviously. For companies, these terms should be treated like cancer to the body — to be eradicated immediately with powerful medicines.
The medicine, in this case, comes in the form of anti-malware software. To understand how these work and why they should be mandatory, let’s lay the foundation.
What is Malware?
A shorthand way of saying malicious software, malware is any program or process that is not supposed to be on the device and intends to do harm or something criminal. It’s the all-encompassing term that includes:
- Trojans – A Trojan — named after the Trojan Horse — is designed to look like an acceptable code. Once inside the system, it can scrape data, disrupt actions, damage other code, and otherwise harm your mobile device.
- Spyware – Spyware does what it sounds like it does. It can log what actions you perform on your device, track your web-browsing, and can even take control of the camera on your phone. Creepy, huh?
- Keyloggers – A more subtle version of Spyware, keyloggers track only the keys you press into your device. Seemingly harmless, the keylogger can note when a strange key combination is entered into the system. So, when you type in your password to your bank account, “X91Ghe4lGs,” it’s immediately flagged, recorded, and stolen.
- Bots – Bots are typically used to generate spam content on webpages and in email. While the success rate of being attacked by a bot is low, they proliferate and use the numbers game to their advantage.
- Ransomware – Perhaps the biggest reason why you should get anti-malware. Ransomware collects private data or takes over the functionality of programs and demands a ransom in exchange for the return of control.
The computer virus — malware’s earliest nickname — was an appropriate name for the early predecessors. The original propagators of these types of malware would set the bugged program to create more of itself, much like a virus, until it accomplished its goal. This goal was usually to crash a system, pay tribute to the hacker’s ability, or to propagate spam. Nothing nearly as harmful as the malware of today…
Anti-Malware Means Anti-Ransomware
Dealing with stolen personal data is one thing. Dealing with entire cities on digital lockdown is another. And that’s exactly what happened in Riviera Beach, a small Florida city.
Police were reportedly unable to log calls into their system. Businesses were having to run via checks. And plenty of data records were being held hostage for a ransom of $600,000, which was inevitably paid to regain control.
This isn’t an isolated event. Ransomware attacks have risen dramatically in the past. And although many governments and organizations don’t reveal how much they’ve paid in ransom — due to the embarrassment — it’s safe to say it’s racking up in dollar amounts. What’s more, if these attacks can take down cities, surely they can disrupt entire companies as well.
2. Use Data Encrypted Communication
From a software perspective, encryption is fairly straightforward. Using an internal algorithm, a program translates readable text and data into ciphertext or unreadable text. In communication programs, you can send the ciphertext to any other user in the network, and they will use the reverse algorithm to unencrypt the data.
This is known as symmetric encryption. There’s also asymmetric encryption, but to the end-user, it runs mostly the same. Users might not even know whether they’re using encrypted communication because the messaging system will appear normal.
Encryption is useful for the part of the communication you can’t see. When you click ‘Send Message,’ that data is traveling through various networks, up into space, back down to earth, through more networks, and finally to the other user’s phone. If any of these nodes along the path are compromised, the data you send will be at risk.
#3 Stay Informed of Mobile Phishing Attempts
Breaking one of the biggest myths about hacking and scamming, phishing is not limited to email only. Phishing can happen on your mobile device, and in fact, the rate at which people are succumbing to mobile phishing each year is rising by 85% consistently. It’s not hard to see why; new mobile phishing methods are becoming intricate and downright tricky.
Take this one, for example. You get a call from an unknown number; the voice recording starts immediately. It tells you that this is an automated message to let you know that your information has been compromised in a recent security breach; your social security number has been suspended until further notice.
In reality, you wouldn’t be called about your social security number being suspended; furthermore, your social security number can’t be suspended. But is this publicly known information? Not necessarily. Staying informed of mobile phishing attempts can help you better protect yourself and your company from revealing sensitive information.
- Don’t field calls from unknown numbers; if this isn’t possible with your work, use caller ID programs.
- Don’t click on website URLs that seem suspicious.
- Never offer information over SMS, call, or email that regards security or personal information.
#4 Don’t Wait on Those Annoying Software Updates
Would you like to install your software update now or later? Later! Always later, until one day when the phone is being a distraction, it finally gets the update it deserves.
Pew Research Center investigated people’s connection with cybersecurity and found some troubling information to those who understand the importance of protecting one’s data. For example, 14% of people never update their smartphone operating system. And what is the number one reason why software updates happen? Security reasons.
Want more troubling news? No? Well here it is anyway:
- Another 42% of people update their smartphone’s operating system when it is deemed convenient. Everybody knows what that means. That little message pops up in the morning as you’re reading the news, and you hit Remind Me Later. This “convenience” metric doesn’t signify the length of time, but plenty of people will take months to update their system.
- Equifax took months to update their system. When the big Equifax data breach occurred in 2017, 143 million American’s data (more than a third of all Americans!) were compromised. The hole in security that allowed this to happen had a software update to fix it; it was known for 2 months before the data breach.
- 10% of people never update smartphone apps; 38% update when it’s convenient. Thankfully many apps update automatically. But for those that don’t, you can imagine each app as another tunnel entryway into the rest of your device’s information. And if you’ve ever paid for anything on that app — you just really needed to beat that level of Candy Crush — the information available can be crippling.
5. Self-Defense: Passcodes, Autolock, and More
In sports, they say that the best offense is a good defense. The same idea applies to security systems. Instead of waiting for data breaches to occur, ensure that your defenses are tight. Go above and beyond the standard device options.
- Passcodes – The four-digit passcode to unlock your phone is the minimum necessary. Using a 7-digit or more passcode increases the security a thousandfold.
- Passwords – Use alphanumeric passwords that include both capitalization and symbols. Make sure your passwords for each program is unique, unrelated to other passwords, and unrelated to personal information.
- Note about passwords – There are password managers that can automatically generate long and complex passwords for each site that you use, ensuring you have a secure network.
- Multi-Factor Authentication – Many programs allow for multi-factor authentication to log in and verify your identity. This could mean a security combination of your password and a text or email being sent to verify it’s you.
- Autolock – When your device is not in use, it should automatically lock to prevent anybody from being able to access your phone. You can set your phone to lock every time the screen goes to sleep or based on the time not using your phone. If you use a timed autolock, keep it short between 5 to 10 minutes.
- Failed login attempt – There are programs that, if someone tries to log in multiple times and fails, the program wipes the internal hard drive and erases all data. If you work with sensitive material, this should be an option you consider. There are also less harsh methods — 24-hour lockout, email notification, etc.
- If you use choose to wipe the internal hard drive after a certain number of failed attempts, be sure that you practice regular backup habits or utilize cloud technology.
#6 Audit Your Security Network
One of the primary responsibilities of the IT departments and security organizations is the regular auditing of security networks. It’s why banks and large government organizations will hire hackers to break their systems. Every time the hacker is successful, the hacker receives a paycheck and the bank gets to plug another hole. Win-win.
Some have deemed this “ethical hacking;” others have used a more formal term “penetration testing.”
Mobile Penetration Testing
This same scenario doesn’t only apply to high-stakes operations. Small and mid-size businesses can utilize penetration testing to audit their system informally. The same goes for mobile penetration testing.
The process at a glance is straightforward:
- Stage 1: Exploration – These ethical hackers will explore the application, program, or system on their own terms, finding potential ways to disrupt it. Often, this penetration testing will happen after a data breach — which means the tester will be trying to recount the steps of the original hacker.
- Stage 2: Analysis – Once the initial assessment and exploration are over, the tester will then run through the source code. Here they will be able to visualize and identify all possible access points available to third parties.
- Stage 3: Leveraging vulnerabilities – Once all access points have been identified, the tester will leverage these vulnerabilities and actually stage an attack. This will determine the depth of weakness and provide details into what damage could actually be done.
- Stage 4: Reassess and report – Now that a successful “hack” has been completed, the tester will report back their findings to the company.
- Stage 5: Strengthening infrastructure – To prevent further attacks, the holes are plugged, systems are reinforced, and the infrastructure receives an upgrade.
#7 Using Company Phones
One of the most difficult questions for a company is deciding whether to purchase company-wide phones for their employees. It makes sense for laptops, computers, or tablets, where the high-powered nature of a new company laptop can improve workflow and ensure everyone is on the same network. With mobile devices, however, there may be only one or two employees who don’t already have the latest technology.
There are benefits and downsides to issuing company phones:
- Pro – Increased security – IT departments and security companies will only have to secure one mobile system. What gets tricky is when there are 12 different phones on both Apple and Android that have to be taken into consideration.
- Con – Expensive option – Having company phones means a company-issued service plan as well. This can rack up expenses quickly.
- Pro – Compatibility – With everyone on the same network and hardware, there is no hassle finding programs and apps that are accessible to each member of the team.
- Con – Employees will need to carry two phones – Employees won’t stop carrying around their personal phones. This means they’re going to have two phones on them, which can be a nuisance.
Securing Your Company One Mobile Device at a Time
Mobile devices are not leaving the office any time soon. If anything, with the increased power of technology, phones are becoming larger parts of the office. With this comes the necessary security infrastructure to protect both the individual and the company at large.
If you want to perform mobile penetration testing and ensure that you have a security architecture that operates effectively, RSI Security can help.
Work From Home Cybersecurity Checklist
Review the best practices to keep your remote workforce safe and secure. Rest easy and give your clients the assurance they need that their information will be safe by implementing cybersecurity best practices as your employees work from home. Upon filling out this brief form you will receive the checklist via email.
Sources:
Forbes. Florida City Agrees To Astonishing $600,000 Ransom Payout (Updated). https://www.forbes.com/sites/kateoflahertyuk/2019/06/20/florida-city-agrees-to-astonishing-600000-ransom-payout/#479984a52ac6
Cyber Scoop. Phishing attacks against mobile devices rise 85 percent annually. https://www.cyberscoop.com/phishing-attacks-mobile-devices-lookout/
FTC. This is what a Social Security scam sounds like. https://www.consumer.ftc.gov/blog/2018/12/what-social-security-scam-sounds
Pew Research Center. Americans and Cybersecurity. https://www.pewinternet.org/2017/01/26/2-password-management-and-mobile-security/
Wired. Equifax Officially Has No Excuse. https://www.wired.com/story/equifax-breach-no-excuse/
Financial Post. Banks hire their own hackers to get ahead of criminal infiltrators. https://business.financialpost.com/news/fp-street/canadian-banks-look-to-in-house-hackers-to-improve-and-test-cybersecurity