(Please Note: Mobile devices for the purposes of this post are mobile phones, tablets and ultra-books. Yes, I have added ultra-books in there as they can be used like tablets).
I had a very interesting conversation with a financial firm during a sales call the other day. I asked one of the principal’s at the firm,
“What is your Bring Your Own Device (BYOD) policy?”
Here is the response I got - “Well, we take cybersecurity very seriously at this firm,” he said.
“We don’t allow anyone to use laptops, tablets or any mobile devices for work around here.” he added.
Yes, he said laptops as well. In other words, this firm only allows the use of desktop computers. And, believe me this was not the first call I had taken where I had heard similar comments.
In fact, another prospective client of mine added:
“we don’t trust the cloud, laptops or any of these cell phone devices with our data.”
And, I thought to myself, "WOW, you folks are absolutely right!” but on the other hand, this kind of abstinence must require a lot of discipline. A type of discipline that can only be compared to that of Tibetan monks who stay away from all the temptations that the rest of us common folk can’t do without. PLEASE NOTE: All this is coming from a person (me) who cannot stay away from his phone for more than hour.
A number of “dumbfounded questions" were racing through my head at this point. Starting with:
Why on earth would you restrict your employees from embracing all the conveniences mobile devices have to offer, why??? For instance, anywhere, anytime access to your data; work from a coffee shop; text messaging so you don’t have to talk to annoying customers and the list goes on…
You mean you never access email on your phone?
How do you enforce this policy on your employee’s devices? How do you know, if they have cheated?
I am sure that I am not in the minority when I get this strange feeling of emptiness after being away from my phone for over an hour. I think it’s pretty safe to say that a good portion of the “free world” uses mobile devices for both work as well as personal use. So, the question is how do you practice good cyber safety on your mobile devices? Furthermore, how do you make sure that the personal use of your mobile device does NOT affect your corporate data and applications?
Here are 12 simple ways to protect your mobile devices
Passcode is a must - For starters, please use that 4 digit pin code for your mobile devices. If you accidentally leave your mobile device somewhere, you have created some complexity for those prying eyes. Most of the recent mobile devices support biometrics or fingerprint access. So, making sure that the touchID is enabled would be a fantastic idea.
Self-destruct after 10 try’s - After multiple failed attempts to enter the login credentials, you must have the device set to auto-delete all the data. This can be scary but trust me a life saver if someone is trying to hack into your mobile device (and hopefully not your 2 year old kid). And, 5 try’s is too little!
Encrypt your devices - Enable encryption of data on a mobile device. In case of the iOS devices, this is already enabled by default. However, if you have a jail broken iPhone or an android device, you will need to ensure that the device is set in a mode so that the data is encrypted. This goes for laptops as well.
VPN is a good idea - Check to see if the phone has ever accessed a non-secure Wi-Fi network. Ideally, you should use a Virtual Private Network (VPN) service for accessing the internet. Especially, if your mobile phone remembers the Wi-Fi at the local coffee shop and you continue to transact business over that connection without ever checking to see if it’s WPA2 secure. Good idea to look into software solutions out there that can detect a non-secure Wi-Fi connection and automatically start a VPN session (contact me, if you want some ideas here)
App inventory check - Inventory of all apps installed on the mobile device is an important item to look at. The reason being you want to maintain a white list of authorized apps on your mobile device for your firm. You don’t want unauthorized use of ‘black listed’ apps in your corporate network. You should be auditing this periodically - monthly, if not weekly. Check to see if Dropbox, Box or any other type of file share app is being used. The reason being these could be conduit’s for any malicious activity or malware. Pay close attention to what apps have access to your data on your mobile devices. For example, some mobile apps will request permission to see your photos or your phone contacts. Make sure you are careful and selective about which apps have access to what data.
Remote Wipe - Remote wipe capability needs to be enabled on your mobile devices. So, make sure that the “FindMyPhone” function is enabled on your mobile device. If your mobile device gets lost or is stolen, this can be a life saver. Keep in mind this function will only work when the mobile is turned on and register’s with the network. So, make sure to enable the feature that says, wipe immediately upon network registration.
No cameras, please - This may seem extreme but a lot of firms want to shut down the use of a mobile device camera as long as they are within their corporate network. This may be a good idea particularly if you are worried that employees might be taking photos of data or scanning docs using their mobile devices for personal use.
Device backup - Make sure your mobile device is backed up from time to time - weekly, if not daily. Enable alerts to the user and system administrator, if this has not been done.
Screen-lock enabled- Screen lock settings need to be set-up so that it prompts you to re-login after a set amount of time. Preferably, 2 mins in case of a phone and 15 mins in case of a laptop-type device.
Latest OS updates - This goes for any device but especially mobile devices. Make sure that you are up-to-date with the latest software. Besides cybersecurity, it might improve the performance of the device as well. From time to time, OS updates contain bug fixes, performance improvements and security updates.
Check your phone logs - Ideally you have a way to log when your mobile device was actually used. Check the phone activity log from time to time to make sure that there isn’t anything amiss here. You can do that directly in the phone or from your monthly billing statements.
Bluetooth connections - More recently, a number of hackings have occurred using bluetooth connections. So, check to ensure that the bluetooth connections or pairings from your mobile devices are with legitimate peripheral devices. If you don’t recognize one of the devices on your bluetooth connection log, feel free to delete it from the list permanently.
There are a number of solutions available in the marketplace to help you keep your mobile devices safe. However, depending on your line of work, make sure that the solution you choose can balance between features/functionality, cost and regulatory requirements of the industry you are in. You don’t want to spend thousand’s of dollars on a solution that looks great on paper but is not tailored to your industry.