Getting Smart about Smartphone Security
One-hundred and thirteen smartphones are stolen or lost every minute in the U.S.
One-hundred and thirteen smartphones are stolen or lost every minute in the U.S. How much data is that? How many patient files, Social Security numbers, business transactions, contact lists and accounts? How much litigation potentially faces an organization after the loss of one smartphone?
Now, before you run out of your office to confiscate everyone’s smartphone, securing mobile devices is not an insurmountable task. It requires some collaboration, education and some initiative, as well as the recognition that – at this point – keeping smartphones out of the workplace is near-impossible.
“Most commonly, organizations’ largest risk is losing control of their data,” says Justin Morehouse, Founder and Principal of GuidePoint Security, an Information Security Solutions firm. “Once an organization’s data is on the mobile device, it is subject to intentional or unintentional theft or misuse.”
Other considerations pop up when addressing BYOD (Bring Your Own Device) policies, instead of company-issued devices.
“The starting points are different, but the risks are the same,” says Rinaldi Rampen, Director of Security and Risk for LivingSocial, which is a deal-of-the-day website with more than 70 million members worldwide and 2,200 employees in the U.S., including 1,000 at-home or mobile office workers who use their own mobile devices. “Company-issued devices are easier to start with; you can issue pre-configured devices with built-in controls – a required five-character PIN, for example. A company phone also comes with a sense of additional responsibility for the employee: ‘It’s not my phone, so I should be more careful.’ But after that, the risks are fairly even,” he says.
Morehouse says that the main difference between BYOD and company-issued devices lies in control and standardization: “BYOD requires organizations to support a vast array of devices and operating systems. Those organizations succeeding with BYOD have limited their support to certain versions of iOS and Android, thus reducing the administrative burden associated with supporting each and every new device and OS update.”
Supporting a wide-range of devices makes implementing best practices difficult. Rather, he suggests that companies should pair reduced device support with strong policies and procedures.
According to Rampen, the user policy acts as almost an employee “contract” or sign-off on the uses of the phone. “It’s a manual, people-oriented process. It’s never just a tech issue,” he says. “Tech solutions are there for verification and enforcement, but your main risks come with the users, so that’s where your policies should start.”
“Think of your mobile device usage policy as the rules of engagement, especially where an employee’s personal data is concerned,” Morehouse adds. “In case of an incident, the company must have the right to perform investigations on personal devices.”
Companies should also clearly define what is and what is not personal data, including email, contacts and documents, he says. “Especially in a case where the company has to erase corporate data from a phone, the user should be aware that any co-mingled personal data could be lost.”
The classification of data is another area where companies need to be very specific. Morehouse recommends that companies refer back to their data classification program to determine what assets need protection and what compliance measures you are required to meet.
“Ask where your critical data sets are,” says Rampen. “Take Salesforce for example: Each end point or device should only have access to data from that person’s market. It’s easier to put controls in place from the system, not the device, so figure out an overarching system plan.”
One of the major keys in securing mobile devices compared to laptops or stationary computers lies in the mindset: “Identify your phone or tablet as the same thing as a laptop,” says Rampen. “They have access to the same things, so you should train end users to treat their phones like a company laptop.”
Similarly, transfer your organization’s laptop security best practices to smartphones: setting up passwords and PINs, and including ongoing education about infected applications and emails.
“Security awareness and education is always good – remind, teach and reteach your end users to be aware of how their personal actions can affect professional data on devices,” Rampen says.
A lost phone is one of the most concerning personal situations because users are so dependent on the information stored in their devices. It can take users hours or days to report a missing device, whether it was stolen or left in a cab, and there is no way easy way to guarantee that the data was not compromised, even if the device is located. Morehouse says, “Organizations should shrink the window of opportunity to take data from the device. Ideally, enterprises should implement a self-service portal where employees can locate their device, and then remotely suspend, lock or even wipe it. Your biggest ally and enemy when a device is lost is the battery. Without remote connectivity, the ability to issue a remote command to protect the device is useless. By enabling users to take action themselves, organizations can reduce the likelihood of device compromise.”
“The (smartphone security) space right now is very immature,” Morehouse says. “It’s an area that has not fully been addressed. All mobile device management solutions solve traditional IT problems, such as asset inventory, provisioning and access control, but few solutions address Information Security specific problems. However, we’re starting to see a more data-centric approach towards securing mobile devices with solutions driven primarily by Information Security requirements.”
At LivingSocial, Rampen is running a convergence shop, cross-training within logical and physical security: “There are lots of cyber components in physical security now, and there is a lot of physical compliance to consider in cyber security. You have to understand the compliance and regulations for both sides in order to protect yourself and your data.”
As the proliferation of smartphones collides with the expansion of global enterprises, a few issues were bound to occur, not the least of which being cyber espionage.
“It sounds like something out of a movie,” says Morehouse, “But it’s really happening.”
When persons of interest – typically executives of high-profile organizations – travel abroad, state or non-state actors may be interested in data that the executives carry with them on their phones. In a common scenario, a U.S. company is looking to acquire a Chinese company. U.S. executives travel to China to negotiate the terms of an acquisition, and one of their smartphones is compromised. A malicious actor could turn on the device’s microphone during a strategy meeting, thereby uncovering the company’s offers, plans and proposals, ultimately compromising the negotiation.
According to Morehouse, there are 12 high-risk areas for smartphone security while traveling abroad. Some you might expect: China, Iran, North Korea, Russia and the Ukraine; others you might not, such as France.
Here are his top recommendations for smartphone security abroad:
- Don’t bring your phone: The simplest answer is often the most difficult to follow through on – smartphones are a valued business tool now, and it would be difficult to enforce their removal. But if the travel does not require an executive’s personal phone, avoid accumulating more risk by bringing it.
- Employ mobile forensics: Any device used abroad should be checked for breaches when returning home.
- Use burner phones: Traveling employees hand over their usual devices before leaving the country, using a pre-paid phone with limited information while abroad, which is then examined, wiped or disposed of upon returning home.
- Employ geo-locational data access: Allow a device to access certain data depending on its GPS coordinates. For example, an executive on a business trip to Sydney or Tokyo could be granted full data access, but when he or she steps off the plane in Beijing, the system revokes the smartphone’s data encryption keys until it returns to a trusted territory.