Organisations need to look wider their office infrastructure if they are going to secure their data.
In this extract from his book on Cyber Security aimed at non-technical executives, TEISS head of consulting Jeremy Swinfen Green explains how organisations can keep their data safe, even when employees take it outside the office on personal devices.
Keeping mobile phones safe
It sounds obvious but the first place to start is to keep mobile devices physically secure. A mobile phone can be worth well over £100 to a thief. So think of your mobile phone as money and take basic care of it. Don’t leave your phone on display on café tables where people pass by. And avoid using them in the street for finding directions, unless they are kept close to your body: always be aware of the people around you when using a mobile device.
Securing data on mobile phones
If your mobile device is stolen you should be confident that the information on it is secure. It is a good idea to assume that it will be stolen and take precautions accordingly. This can involve the following ideas: which ones you choose to follow will depend on your appetite for risk.
Use anti-virus and firewall software for mobile devices and keep it up to date.
Most mobile phones have two levels of protection: device encryption and a lock screen. Use both of these protections: the intention is not to make the phone unbreakable but simply to make it hard to break and give you time, once you have discovered its loss (which is likely to be quickly as most people keep their mobile phone on them all the time) to call your telco and stop the phone from being used.
Use a strong lock screen code such as a password; it is probably best to avoid using a finger swipe patters such as an “X” as people can sometimes detect these through grease patterns on the screen. Instead use a pin of at least eight non-obvious numbers (i.e. not 111111 or 12345678) or better still an eight character password containing letters and numbers. Do remember that you will need to use the password quite frequently so you will need to balance security with convenience.
Ensure the device as a whole is encrypted so that people cannot get access to it if it is stolen. You should switch off the device completely if it is not being used for a period of time while travelling (if the device hasn’t been switched off when it is stolen then people may just need to break through the lock screen).
Never store critically important information, such as lists of customer details, on a mobile phone or other mobile device.
Ensure any critically important or confidential information stored on a mobile phone is well encrypted with a strong password. Be aware of the practical implications of encrypting data on mobile phones. Some encrypted files may be impossible to open on some devices using certain apps. For instance on my Android phone, encrypted Microsoft Office Word files cannot be opened using the QuickOffice app that allows me to edit them; they can be opened using the Polaris Viewer app – and that doesn’t allow me to edit them. If that’s a problem – and if you don’t want to risk the data leaking – you may have to accept that saving the file to a phone may not be the best solution: you may need a laptop instead.
Avoid automated data back-up on mobile phones; ensure this option is unselected in the devices settings.
Make sure your device doesn’t store passwords to your accounts so that a thief doesn’t need a password to log in. Make sure you actively log out of all your accounts when you finish using them – and employ two factor authentication to log in (you can switch this off for “safe” devices such as your home and office computer so that it only protects mobile devices).
Disable wi-fi and Bluetooth when they are not in use on your phone. These can be ways in to your phone. And take care with public wi-fi: ideally you should avoid it but if you need to then only use encrypted wi-fi that needs an access code (see the section on public wi-fi below).
Be circumspect about what you look at using your mobile devices as it may well not be as well protected as your corporate IT network. For instance avoid accessing websites via QR codes – they may be fraudulent and you can’t read their address before you go there. Avoid downloading apps from risky places such as little known websites (even if they are cool): stick to standard stores like Google Play and Apple iTunes where there is a greater degree of protection.
You may also choose to use a phone tracking app on your mobile devices: you might even be able to get it back if you are lucky. Don’t rely on it though as they can be circumvented relatively easily.
What to do if your phone is lost or stolen
If you do manage to lose your phone then you will need to get in touch with your telecoms provider who should be able to inactivate the SIM or even the phone to stop illegal voice and data calls being made. Again it sounds obvious but you should do this as soon as possible: huge bills can be (and are) racked up by people who fail to tell their telecoms provider about lost mobile phones. In October 2014 a teacher who failed to tell Vodafone for 4 days about a phone lost in Spain was presented with a £15,000 bill.
Keep a note of the phone’s IMEI number. Get this by dialling *#06# on your phone. It will help your telecoms provider to immobilise your phone should it be stolen.
In addition to telling your telecoms provider, you should also tell your IT manager as they may be able to detect and prevent unauthorised incursions into the corporate IT system via the lost device.
And finally, do remember that your passwords may have been compromised, especially if you allow automatic access to things like email and twitter. Even if the thief can’t see the password, if they are logged into your account they can change it, locking you out of your accounts. So it is a good idea to change any passwords you feel may be at risk as soon as possible.
Remote locking and data wiping
It is a sensible idea to insist that BYOD device owners install an app that will delete the data if the incorrect password is input too many times. Require the use of a strong password to secure personal devices that have access to corporate data. Instruct BYOD owners to install an app that will lock the device if the incorrect password is input too many times or if it is inactive for a period of time
If sensitive documents, such as work emails, are stored on a mobile phone then it is also sensible to consider installing some form of data wiping application. These work in two ways: either by wiping data if an incorrect password is input too many times; or by allowing the owner to go online to a website where the instruction to wipe the data can be given Consider making this obligatory for people who access and store work information on their mobile phone. This can often be achieved on a phone-by-phone basis, depending on the manufacturer. Or you can use Mobile Device Management software that will allow remote wiping and locking of personal devices fro a central control point.
Using the internet
Don’t assume that using the internet on a mobile device is as safe as it is when you are using a laptop. Take basic precautions about what you access.
Make sure your mobile device has adequate and up to date security protection (a firewall and virus checker) from a reputable company; this should be an obligation for anyone using a mobile device for work purposes.
If you are going to use public wi-fi for shopping then make sure that any site you use has “https” (not “http”) at the start of the address. This means it is more likely to be a secure and encrypted site.
If your mobile phone browser warns you that a site has an untrusted security certificate then don’t connect to it.
Take care when clicking on adverts or text links; depending on the device you are using, and unlike with a laptop, it may be impossible to see where the link is leading to; given the rise in malvertising, and the fact that many mobile devices are less well protected from malvertising than laptops and desktop computers, you may be putting yourself at extra risk.
Using public wi-fi
Even if you take care to hold on to your mobile devices, the information on them will be at risk whenever you are outside your home or the office. You can put it at risk by using public wi-fi services to connect to the internet. It is true that these risks can be hard to manage, but they are impossible if you are unaware of them.
Take care when using public wi-fi (e.g. in coffee shops, hotels and at conferences) and don’t assume it is secure: there may be a hacker at the next desk to you (a “man in the middle”) who is happily siphoning off all your data. Here are some tips for keeping safe:
- Never use public wi-fi for sensitive tasks like banking or accessing your corporate network
- Sign up for a reputable VPN service: this will act as a barrier between you and the public wi-fi, adding a layer of extra security
- Turn off wi-fi on your mobile device when not using it: if you don’t, your phone may connect automatically to a wi-fi service exposing you to risk
- If you are planning to use public wi-fi, check out the name first. Your mobile device will be able to show you a list of wi-fi hot spots available: you need to select a hot spot you can trust. Increasingly criminals are setting up their own wi-fi services that mimic public wi-fi by using credible names or words like “Free Wi-fi”. If you are in a venue of some sort, a café, shop or conference, the official wi-fi will have a name: if you don’t know what it is, ask. And if you are using public wi-fi such as BT’s wi-fi service make sure you know exactly how it should appear on your mobile: according to BT’s website you should see “BT Wi-fi”, “BT Openzone” or “BT FON” so if you see something like “Free BT Wi-fi” you should avoid it
- Instead of public wi-fi, use your mobile Telco’s 3G or 4G data connection. Or simply wait until you get in range of a wi-fi service you trust (your home or office network)
Fake wi-fi services
Fake wi-fi services are sometimes known as “evil twin” attacks because people will often use a credible name related to the location they are in to fool people into thinking that the wi-fi service is genuine.
Protection is possible. Don’t use public wifi. If you do, then before you do check that you are using the official service by asking the venue owner what the name of the wi-fi is. And when you go ahead do so using the protection of a mobile VPN service (not expensive). This last point is very important as phones often connect automatically to available wi-fi services (which may be malicious): asking people to remember to turn wi-fi off all the time they are out of the office or home environment is fairly pointless as they are likely to forget and a VPN service will provide some protection when they do forget.
There are some other things you should consider to keep information safe on mobile devices.
Require separate access credentials for personal devices and work based desktop computers. Limit the access that personal devices can have to those parts of the network their owners need to do their jobs when working remotely.
Instruct device owners that if personal devices that are used for work purposes break or become obsolete they need to be returned to IT department for data cleaning before being repaired or disposed of. This should be written into your BYOD User Agreement (see chapter 7).
Make sure you back up any data that you have created on the mobile device (such as photographs or other documents): you don’t want them lost along with your device.
Protecting mobile data storage
As well as their mobile phones, laptops and tablets, people who are working outside their normal office may have portable data stores such as CDs and USB sticks. These also need to be protected. There is less you can do (and less you need to do as these devices have much less functionality than a mobile phone) but you do need to ensure that any sensitive data on them is encrypted appropriately.
Portable storage devices can be very useful however as they can be used to keep sensitive data separate from laptops or phones. A small USB stick or a small CD will be unobtrusive and of little value and therefore unlikely to catch a thief’s attention.