Blackberry used to be the go-to phone for professionals. However, with the rise of smartphones, more companies are turning to them as the new corporate standard. Many have implemented a bring your own device (BYOD) policy. Others, in an effort to separate the personal and business, provide company smartphones. While convenient for employees, smartphones were not entirely designed with business in mind, and therefore tend to be insecure. The question on many people’s minds, including those making decisions at companies, is how safe are smartphones?
To date, there are around two billion smartphones worldwide. As market penetration increases, so too does the number of criminals interested in hacking these devices. It’s no surprise, considering smartphones now store large amounts of personal and corporate data. One of the most popular methods hackers use is to attach malware to apps. Depending on the type of malware, the hackers can gain access to almost everything on your phone from the camera to contacts and even emails.
There’s also the issue of how smartphones transmit data across networks. According to Jeremy Gillula, EFF Staff Technologist, cellular communication is incredibly insecure, especially on older networks. Although both Apple and Google release security updates to close any potential loopholes, it’s almost impossible to stop them all.
While it might seem unnecessary by some employee standards to have all of these precautions, it is meant to keep corporate information safe such as confidential emails, documents, and more. Even items you might not consider sensitive like the loose meeting schedule of a low-level executive could be of interest to potential competitors or hackers. When coupled with malware that automatically turns on the camera’s video function, these cybercriminals could record very confidential business meetings.
While smartphones might be relatively new to the corporate scene, IT professionals can use their current laptop security policies as a baseline for smartphone policy. Of course, it comes with its own set of challenges and requires faster implementation. In order to come up with a workable corporate smartphone policy, businesses must first look at potential attack vectors before developing effective rules and safeguards. For example, requiring an alphanumeric password could be problematic for smartphones without a QWERTY keyboard. With that said, there are some basic guidelines businesses should follow when implementing a smartphone program:
- Require a pin/password protection to progress beyond the lock screen. As simple as this might sound, it’s an excellent prevention method should employees leave their phone unattended.
- Allow for remote erasure of sensitive data if company is phone lost, stolen, or perhaps when a user has entered too many incorrect passwords.
- Fully encrypt data stored on phones. Although it may reduce performance and battery life, it makes data unreadable even if it somehow ends up in the wrong hands.
- Install mobile security software to protect against viruses and malware. While these might not be as mature as desktop versions, it does help filter out the more common viruses and malware.
- Educate users on secure smartphone practices such as turning off applications, Bluetooth, Wi-Fi, and GPS when not in use.
- Require employees to access the company’s network via a mobile VPN service when using traveling and using unsecured WiFi. Public WiFi, while convenient, opens smartphones up to attacks. A VPN service encrypts data sent over the network for an additional layer of protection.
- Implement a backup system so users can access their data if they do lose their phone. However, it’s important to emphasize that losing a phone still results in potential data breach for the company, not just an inconvenience.
It’s no secret companies have the ability monitor an employee’s emails and web searches on the corporate network. Now that smartphones have entered the picture, companies have adopted new policies to include smartphone usage and monitoring. Many employees view this as a breach of privacy, especially with BYOD offices. With that said, these monitoring services do not give employers full access to information on a smartphone, even those they provide. So what data can they view?
- Emails sent through the corporate account
- Web searches
- Name of all installed apps
- Corporate data
- Operating system version
- Battery level
- Phone number
- Storage use
This kind of information provides businesses with enough information to see where, why, and how data breaches may have occurred and then rectify the situation. For example, IT could send out emails to those who have not yet updated their OS which fixes certain security vulnerabilities. The ability to see app names on devices also allows them to blacklist certain ones that could access sensitive data. While monitoring might seem like overkill, it’s main use is to ensure any potential hacking attempts are either nipped in the bud or caught early to protect company and employee information.
As convenient as smartphones are, they also serve as a huge security risk for many large companies. It’s one of the reasons companies often implement rigid guidelines and may monitor usage.
What policies are in place to keep your company smartphone secure? Tell us in the comments below.
About the Author: Cassie Phillips is a freelance technology writer with a strong interest in security and privacy. She believes it is everyone’s responsibility to take necessary precautions in preventing data breaches, and that it can be easy with the right information.