Do secure your smartphones
Smartphone use has been proliferating but security is lagging behind, argues Ian Kilpatrick
Smartphones are increasing in uptake throughout the business world – not just with senior executives but with employees at all levels. Where staff used to carry laptops outside the office, they now carry smartphones.
Smartphones raise key security issues that many organisations have either not fully understood or not fully addressed.
The biggest danger is if a smartphone goes missing. Many of us will have lost a mobile phone in the past, or know someone who has. If lost, sensitive corporate and personal data stored on the smartphone may be exposed.
If the phone is connected via a VPN, company networks are exposed to malware or hacking, so organisations need to factor smartphone use into their security policies and make sure they are managed centrally.
In addition, these devices cross the divide between voice and data, so companies using them are stepping into the realm of convergence, perhaps without planning for it. Smartphones are at the cutting edge of fixed and mobile convergence, where users are only rarely required to connect over secure VPNs and even less often required to use secure authentication to connect to the network.
Fixed and mobile convergence creates other security and financial threats. Unsecured access to PBX systems (traditional and IP) exposes an organisation to an increased risk of toll fraud, DOS attacks, back-door attacks on the data network, call recording and the like.
There are a number of basic security procedures that organisations and individuals can adopt:
- Use the PIN or passcode function to secure the phone. Don't rely on the default factory settings.
- Employ data-wiping functionality so critical information can be destroyed if it's believed the phone has fallen into the wrong hands. This might happen if, for example, a password is entered incorrectly a certain number of times.
- Implement 'time-out' policies to prevent further use if the phone has been inactive for a certain period of time. This should be initiated from a central management console.
- Use GPS tracking to help find the phone if it is stolen.
- SIM watch reports the new number back to you if the SIM is removed and replaced.
Generally, you can use similar data leakage protection measures to those used on a PC. In essence, treat the phone as if it were a PC. Users must beware of phishing emails, avoid following unknown links, avoid downloading anything suspect, recognise the risks of unsecured wifi connections and so on.
Stipulate that sensitive, critical information should only be made available to users of smartphones on a need-to-know basis.
Use two-factor authentication (with a challenge response) to validate access to the smartphone. Do not forget to encrypt sensitive data wherever possible. And, of course, run antivirus software – commercial security offerings are available from a number of vendors.
There is often as much data on a smartphone as on a laptop, but the former is more vulnerable to loss or theft.
Ian Kilpatrick is chairman of Wick Hill Group