Dublin Information Sec 2018: Secure your company smartphones to guard against data breaches
A little over a decade ago, the most popular mobile phone in use in businesses was the humble Nokia 6310i, famed for its near indestructibility and a battery life counted in days not hours.
Today, everyone has a powerful computer in their pocket with the capability to connect to the internet, access work and personal emails, to store files and images relating to friends, families, or customers. It will be impossible to do justice to all angles of this challenge in this article.
Article 32 of the General Data Protection Regulation (GDPR) restates some age old principles of information security. However, it is important for organisations of all sizes to have considered how they will prevent unauthorised access to or disclosure of data, how they will respond to such issues, and how they will meet their obligations to notify affected individuals and the Data Protection Commission in the event of a data security breach involving a mobile device.
Enable encryption on your devices and set a pass code
This is "entry-level" security and is the minimum anyone should be doing. Encryption is on by default on iOS devices but needs to be enabled on most Android devices through system settings. Combined with a passcode (and one longer than four digits where possible), you create a barrier to your phone being accessed by third parties. Use of fingerprint readers is increasingly popular, but it does raise challenges in the context of data privacy as it is a biometric identifier.
Check what data is being accessed and where data is being stored
It is a worthwhile exercise to regularly review the apps you have installed to verify what data they can access from or write to your device. If you find you have apps you simply are not using, it is worth deleting them so their access is revoked.
The proliferation of messaging apps in recent years has resulted in an increase in sharing of images or files through these tools. It's worth checking where these apps download their photos or files to and, if you don't want data saved to your device, adjust the settings accordingly.
Update your operating system regularly
Both Apple and Google frequently push out updates. However, Android update roll-outs depend on manufacturers. As of September 3, Fossbytes.com reported that more than 72pc of devices were not running the latest version of Android.
Compare this to iOS which, as of September 19, had 80.5pc of users on version 11 or higher.
Use a VPN
Whether you are using your mobile service provider's network or public wifi, a VPN client on your phone or mobile device is a useful security precaution to keep your data safe.
This is particularly the case if you are using public wifi or shared wifi networks to keep your data usage down on your bills. There are a range of good VPN clients out there for individuals and organisations. Freedome from F-Secure is one I use personally.
Enable Two Factor Authentication on your accounts
Devices are a gateway into your organisation's data and increasingly they are being targeted for phishing attacks, as the design of mobile email clients and messaging apps allows for email headers to be hidden and makes spoofed email addresses harder to spot.
The use of SMS and messaging apps as attack vectors make it easier for attackers to "personalise" attacks. According to research by Lookout, mobile phishing attempts have increased 85pc year on year since 2011. Research from security vendor Wandera found the average mobile user was 18 times more likely to encounter a phishing attack then a malware attack and were three times more likely to fall for phishing on mobile than desktop. Two-factor authentication creates an additional layer of security to prevent human fallibility exposing your organisation.
Put in place a device management policy and supporting tools
Be clear with staff what will happen if a device is lost or stolen. This is particularly important where the device is used for both work and personal life. Mobile device management tools can help with enforcing encryption and device locking/wiping policies. More advanced solutions can create a "walled garden" for work apps that can be controlled separately from the rest of the phone. As ever, GDPR and common sense require you to consider what is the appropriate level of security and controls for your organisation's data.
Staff leaving with data on devices
This is an often overlooked risk with mobile devices but is a very common challenge. Staff (or volunteers in a not-for-profit organisation) need to be aware that the personal data they are given in the course of their role with your organisation is given to them for specific purposes and is not their data to take when they leave.
Unless the data is very clearly given in a personal context, any use of that data by the former staff member or contractor could constitute a breach of Section 144 or Section 145 of the Data Protection Act 2018. In any event, it would constitute a breach under GDPR. Have clear policies and procedures around deletion of data and recovery of data on personal or devices of former staff. In conclusion, treat devices as the small computers they are, and remember they are often a key gateway into your organisation for staff and malicious actors alike.
Daragh O'Brien, founder of Castlebridge, is a speaker at Dublin Information Sec 2018, Ireland's Cyber Security Conference.
The conference is an Independent News & Media event. For tickets and more information see independent.ie/infosec18
Sunday Indo Business