Recent data breaches for both iPhone and Android OS's highlight the need for businesses to pay attention to mobile device data security.
Whether or not you’re giving your employees cell phones to use for work (or have Bring Your Own Device (BYOD) policy), it’s likely that you have employees using their cell phones or tablets to access company information (like email and sensitive line-of-business applications).
And this could present a problem if not managed correctly. Phone hacking is becoming increasingly common, with two major phone data security breaches recently:
You may have heard about the recent “Stage Fright” vulnerability on Google’s Android operating system. If you haven't, here is the gist: Using a specific type of text message, hackers could send a text to your Android phone that gives them complete control over your device. They can read your email, siphon data out of your apps (like Dropbox), access your photos, and even turn on your microphone or camera without your knowledge. Since they control your phone they could even delete the text they sent to get access to your device, so you would never even know.
Google put out a patch to fix the issue quickly, but it was up to the carriers (like Verizon) to make the patch available. If you have employees with Android devices, it’s critical that their phones are updated with the patch – otherwise you may be leaving your company data open for the taking.
More than 225,000 iPhone users had their phones compromised in a recent hack. This particular hack only affected “jail broken” phones (phones that have been modified to bypass Apple security – typically to download apps outside of the App Store), so if your company distributed new iPhones (or refurbished iPhones you’re sure aren’t jailbroken) to your employees, you’re probably safe.
If you have a BYOD policy for phones, however, you may have a problem on your hands if any of your employees have a jail broken phone and access company data from their phones.
Mobile Device Security
We are absolutely not advocating taking phones away from employees or not letting employees access company data from their smart phones. Quite the opposite – we’re strong believers in the Cloud and being able to work from any place and any device. Office 365, Google Apps and other cloud based systems have made that a reality for many companies, saving them time and money and boosting productivity.
But if your company doesn’t already have a mobile device policy in place, it time to get one. If your company has a mobile device policy in place but doesn’t really enforce it or if your employees don’t know about it, it’s time to remedy that. Make sure your team members know what is and isn't acceptable to do with company data. The biggest threat to your company ultimately isn’t malicious outsiders – it’s your employees.
All it takes is one employee clicking on a bad link in an email or accessing company data from a jail broken phone that’s been compromised for their device (and potentially your whole company) to be affected. If you’re in an industry dealing with sensitive client data, this can be especially devastating.
Implementing and enforcing a mobile device policy that include data security best practices can go a long way to mitigating that. Here’s a few to get you started are:
- Use a passcode on your phone
- Store all passwords in an encrypted password vault (like LastPass or 1Password)
- Devices must not be “jailbroken” or modified in a way to bypass security features or gain access to information not intended for the user to access.
- Keep phone updated with latest security patches and do not connect to any computer that isn’t using updated malware detectors.
A mobile device policy isn’t necessarily going to protect you 100% of the time (unfortunately, there is no 100% guarantee when it comes to data security of any kind, mobile or otherwise). But a strong policy, tailored to your company’s needs (and actually enforced!), along with a well-educated workforce will go a long way to mitigating your risks.