Work and personal lives continue to blend as many employees are working from home and social distancing. Mobile devices, specifically phones, are already a key part of our personal lives because they manage everything from our bank accounts, contact information of loved ones, to social media accounts. Now, mobile devices are following the current trend in blending work and personal lives as they are increasingly used to manage email, calendars and other work applications.
It may be no surprise that as their popularity rises, hackers will focus more on this asset. However, despite this threat rising, most institutions are not taking proactive steps to protect mobile devices which access their systems and data.
So, if you are considering adding or already have mobile devices connecting to your institution’s data, here are five steps you should take to secure these devices. Many mobile device management options are out there can be configured with these protections. If you use O365, these configuration options may already be included in your subscription or added at a minimal cost.
Mobile devices can easily be lost, stolen or confused, resulting in someone being able to open the phone and its contents without a challenge factor in place. Many users decide to do this to protect their personal data, therefore this step is really commonplace. All that remains is to make sure this step stays in place with a mobile device manager if your institutions data is accessible by the device.
Devices can be modified to override some security features built into the iOS or Android operating system. This is called ‘jailbreaking’ in iOS or ‘rooting’ in Android devices. This makes the device more susceptible to attacks by more easily allowing the user to modify code or install software the device manufacturer would typically disallow.
This is a well-established best practice for servers, workstations and laptops, perhaps thanks to the publicity of vulnerabilities such as Heartbleed, WannaCry and Not Petya. Security updates are of the same importance for mobile devices and any devices allowed to access institution data. Vulnerabilities allow attackers the ability to access systems and data and/or install malware…mobile devices are no exception to this rule.
We already discussed the propensity of mobile devices to be lost or stolen. Like any other security controls, authentication controls can be bypassed by a knowledgeable person or a person with a lot of time on their hands. So, the best step to take if a device is lost or stolen is to remove the data.
Many mobile device managers offer the ability to wipe only the institution’s data or the entire device. Wiping only the institution’s data is handy if a user has lost their device and just wants some time to find it or if you have someone leaving employment with the institution.
Users are at an increased risk of social engineering with mobile devices. While the principles are same, the attacks can appear differently such as with smishing, which is basically a phishing attempt sent through text (SMS). Also, users are typically in a hurry on mobile devices, for example many users read emails as soon as received on the device. Therefore, they are less likely to think about the validity of the message and their response than on a laptop or desktop.
If you need help with your mobile device security strategy or have any questions, email us at support@bedelsecurity.com.
Information Security Strategy: 5 Tips for Success
https://www.bedelsecurity.com/blog/information-security-strategy-5-tips-for-success
Protecting Against Email Compromise
https://www.bedelsecurity.com/blog/protecting-against-email-compromise
The Importance of Social Media Monitoring
https://www.bedelsecurity.com/blog/the-importance-of-social-media-monitoring
Data Loss Prevention Tips
https://www.bedelsecurity.com/blog/data-loss-prevention-tips
Microsoft Azure AD Options Explained
https://www.bedelsecurity.com/blog/microsoft-azure-ad-options-explained