Smartphones Need Smart Security

Padraic Murphy
By:
On: 2 Feb 2017
Share this post

Smartphone Security

A recent report revealed that 64% of business owners in Ireland rely on their smartphones to get their work done*, yet smartphone security is often overlooked.

Just like a desktop PC, a smartphone is a network endpoint, and therefore a potential network security weak spot. As hackers increase their efforts to exploit smartphones’ vulnerability and access valuable business data, what steps should you take to protect your smartphone – and your business?

The latest survey commissioned by Three* has shown the changing shape of technology for businesses in Ireland. The majority of business owners surveyed agree that their smartphone is now the single most important piece of technology at work. This was reflected in the Citrix Mobility Survey** too, which reported a mere 3% now use only their office PC for work. However, while many appreciate the mobility and flexibility a smartphone offers, they may not appreciate the level of security risk posed. You almost certainly have security systems and protocols in place to protect desktop PCs, laptops and tablets; it’s time to recognise the smartphone as another endpoint to be protected on your business’s network.

(c) independent.ie/business/technology

(c) independent.ie/business/technology

Hidden Hacking

In the past, hacking attacks often had no higher purpose than crashing a device, but smartphone hacking is less of an attack and more of an infiltration. Using malware, hackers can secretly access and extract the phone’s data, before sending it to a third party who can use it however they want.

“But who would want my data?” you might ask. “It’s not valuable enough to be worth stealing.”

The fact is, any data has a value to someone, and its loss will have a cost to your business. Even something as seemingly innocuous as a few employees’ email addresses can have a use for today’s sophisticated criminals, as one business in Ireland recently discovered. Hackers used malware to siphon emails from one of the business’s smartphones, and in just two weeks gained enough information to send an authentically-worded email from an apparently valid address, requesting a transfer of a large sum of money. Only an alert employee who double-checked the request brought the scam to light, minutes before the funds could have been irretrievably transferred.

Another threat is ransomware, which infiltrates a device to encrypt data, rendering it unusable. A small Irish hardware rental business recently paid a ransom of over €2,000 to regain access to their files, and lost two weeks of income while the files were out of action.

If those are some of the risks, what steps can you take to make your business’s smartphones less vulnerable?

Security Vulnerabilities of Smartphones

Never forget that smartphones have the same vulnerabilities as desktops and tablets. They need to be specifically included in the security advice you provide to employees. There are also security precautions specific to smartphones, which need to be included in your IT security strategy. Desktop PCs, for example, don’t go to bars and nightclubs. A smartphone goes wherever its owner goes, making it more vulnerable to loss or theft.

Security must always outweigh convenience. All business devices should have a different, unique passcode, which is regularly changed and never shared. As the smartphone is regularly out of your office network’s security perimeter, users should be reminded that public networks are just that: public. If a network doesn’t demand credentials, then anyone can log onto it, and potentially anyone can gain access to data transmitted over it.

Apps are a particular vulnerability of the smartphone, as discussed in our recent blog: Mind the Gap. Users will download an app at some point, skip reading the permissions request and just click ‘accept’. That’s when the trouble starts. The app takes up residence on the device, then if it is malware, whether that’s because the app is badly written or written with malicious intent, it siphons off data.

Always check the ratings and number of downloads an app has before you download it; read the permissions requested, and if an app wants access to your emails, or a health tracker wants access to your photographs, ask yourself why and don’t download it.

Keep your apps up to date. You can opt into notifications through the app settings to let you know when there is a new update to download; many of which fix bugs which can be potential security loopholes.

Security with a Sandbox

79% of employees use their own personal devices for work**. It’s also common for work smartphones to be used in personal lives. One of the most effective security measures you can take to enable this flexibility while protecting your business data is to install a secure “sandbox”. This is where corporate emails, intranet access, file sharing and other line-of-business tools can reside, untouchable by the device’s native applications.

There’s no danger of data leakage or risk of virus cross-contamination. Meanwhile, for the end-user, there’s complete transparency of operation, no obstacle to accessing the data or tools they need, and no compromise in accessing non-work related websites or applications that are not pre-approved by the employer.

What the sandbox doesn’t do is protect the employee’s personal data, but even on a business device, that’s their responsibility, not yours. After all, as a business owner, your only concern is your business data; and with the rise in smartphone usage, that’s quite enough to for you to be dealing with.

*B&A Connectivity Report, November 2016   **Citrix Mobility Survey, September 2016