Our smartphones are essential to our professional lives and contain a growing amount of information. We store customer contact details, emails, private communications, instant messages, and even financial and strategic information. In case of loss, theft or breach of a smartphone, the whole organization can be impacted. Especially if it is operating in a highly strategic or competitive industry.
Securing professional mobile phones is therefore essential, even if it is not always the number one priority for CIOs. Explanations.
Protecting smartphones: An often neglected necessity
With the ever-increasing use of new technologies comes a need for security. The more information is digital, the more likely it is to attract malicious people, both in the immediate surroundings and the other side of the globe. Smartphones are becoming our first screen, and sometimes even our first work tool. The problem is that their security is often neglected. According to Kaspersky Labs in a study published late 2016, more than 50% of organizations do not protect the mobile devices provided to their employees.
A simple connection to a public Wi-Fi network can put your organization at great risk. And all organizations are concerned. If both large corporations and entire industries such as defense, energy, transportation and the media are particularly exposed to cyber threats, all organizations, including start-ups and SMEs, may fall prey to an attacker.
A study published in the prestigious Harvard Business Review pointed that smartphones are the weak links of all organizations. CIOs are desperately trying to manage a growing proliferation of connected devices, protect critical data, secure networks, and train and support employees.
In a rather Manichean view, IT security is often perceived as an operational roadblock. IT management implement rules and tools that are perceived as hurdles to agility and freedom. On one side, real security challenges, and on the other side, the ability to switch from a professional smartphone to a personal tablet to continue working from home or on the move. Between the two lies a gray area that is not always easy to manage for organizations.
Imposing too restrictive rules, for instance, can drive employees to turn to tools and personal devices to circumvent them.
Securing and protecting smartphones without the tools and the associated strategies can quickly become a challenging equation.
Threats targeting professional smartphones
With weak default security, limited user awareness and ubiquity in daily activities, smartphones are both a business accelerator and an ideal playground for hackers. A few examples:
Loss or theft of a mobile device
Do you think this is a minor issue? A study shows that 70 million smartphones disappear every year, and only 7% of them are recovered.
Whether it is an oversight, an opportunistic theft or a targeted action, the disappearance of a mobile device can have serious consequences, especially if there is no mitigation process in place.
The first concerns is the immediate drop in productivity: the victim can no longer communicate and will lose many hours to find a solution. Once a replacement device is provided, it will take days to track data and applications, and log into all services used.
On the other hand, even protected with a password, a standard smartphone is not unbreakable. The risk is therefore to have confidential information leaked publicly, shared with competitors or sold to the highest bidder.
How can we mitigate?
If we cannot avoid the loss or theft of a smartphone, we can however limit the consequences. The first step is to implement local encryption on mobile devices, ideally with a hardware solution such as a specific SIM or SD card (rather than just software), based on encryption keys provided and managed by the organization. Data is completely protected, and cannot be used by third parties: hackers, smartphone providers and applications.
Authentication must also be improved with robust security systems, far beyond that of consumer solutions implemented by phone manufacturers.
Finally, the ability to locate a device and, if necessary, delete all of its data remotely.
Eavesdropping and intercepting communications
Do you think these techniques are limited to Hollywood spy movies? They are more common than you think. A simple example : In Canada, in the spring of 2017, devices capable of intercepting smartphone data were spotted in Ottawa, the federal capital, and at the Montréal airport. A discovery that caused a great deal of commotion in the press and sparked many debates.
If Canadian intelligence services were suspected, no one was blamed. Even worse, the technology used to eavesdrop and intercept communications is easily replicable.
How can we mitigate?
The goal is not to avoid eavesdropping – it’s almost impossible – but to encrypt communications and data. In case of an interception, these will be totally useless and unintelligible to the spying party.
An end-to-end encryption solution for SMS and voice communications, and for received and sent data (emails, Internet, intranet, etc.) is a solid foundation for securing your communications.
Remote attacks of your smartphones
Connecting to an open and free Wi-Fi network while at the hotel or in a trade show abroad? What a bargain! True, especially for those who want to steal data and information from people who are not very careful. A simple connection in a coffee shop or an airport, and you could have given the keys to your office to a stranger who was just waiting for that. Many other types of remote attacks exist, facilitated by the use of malware hidden in certain applications and websites.
How can we mitigate?
Beyond the usual good practices (do not connect to public Wi-Fi networks and unsecure locations, do not download applications outside official marketplaces, do not share connections or connect to unsecure Bluetooth, etc.), effective solutions can be deployed to protect smartphones. Mobile VPN, network firewall, port control, anti-rooting and anti-trapping are a few examples. These are essential initiatives applying to an era of mobility and constant movement.
For all employees, and even more so for managers and executives, well secured and carefully monitored smartphones with appropriate solutions is essential. Protecting assets, sustaining strategy and preserving confidential information is an important competitive advantage.