Caught in the web

As mobile security threats become more complex, protecting data is becoming more difficult. Amy Birchall explains how to keep your information safe.

If you’ve ever used your phone to access sensitive data over unsecured wi-fi, downloaded an app from an untrusted source or clicked on a link in an SMS that promised access to an important corporate network update, your phone’s security – and that of your organisation – may have been compromised.

The rapid growth in smartphone and tablet usage over the past two years means these devices are frequently targeted by cybercriminals.

Dean Frye, the technical director at cyber security solutions firm Sourcefire, says most mobile security breaches are malware attacks that allow hackers access to sensitive data or databases.

People often do not realise they have downloaded harmful malware onto their phones until it is too late.

“Humans are the weakest link when it comes to security,” Frye says.

“Using the same password and username for different websites and clicking on links in emails from unknown people – which are actually malware – are some of the most common mistakes consumers make. This leaves their personal information open and vulnerable to being compromised.

“Consumers need to be aware of the security implications associated with mobile devices, and as a result, they need to make strategic decisions as to what they open on their devices and where they store their information.”

Frye warns it isn’t just personal data at stake when it comes to mobile security. In the bring-your-own-device (BYOD) era, corporate information is increasingly at risk.

“BYOD has created new security risks and today’s networks are no longer deeply nested within the walls of their enterprise,” Frye says.

“Before BYOD, IT departments could control the use of technology by issuing devices that could be locked down with a corporate IT firewall. As more and more employees use their own devices, maintaining a secure environment becomes a challenge.

“Employee-owned mobile devices often access corporate resources that are outside the control of the corporate IT team, and they easily connect with third-party cloud services, computers and endpoints where security posture is potentially unknown.”

Mobile security concerns such as these mean many organisations are still grappling with the BYOD phenomenon, more than two years after employees first started using personal phones, tablets and computers for work purposes.

Ensuring corporate data is protected on personal devices is so difficult, analyst firm Gartner reported 2014 might herald the end for BYOD as “there is no way for IT to assume full responsibility of securing and managing devices without ownership”.

The benefits of BYOD include increased productivity, reduced IT equipment costs and improved employee engagement; however, organisations are beginning to realise the benefit might not outweigh the potential.

A 2013 Symantec survey found as many as half of employees who had lost or left their jobs in the previous 12 months kept confidential corporate data, and 40 per cent planned to use it in their new jobs.

While Frye believes the BYOD trend isn’t going anywhere, he admits keeping information protected is not easy.

“Organisations need to monitor and protect against the full attack continuum before, during and after an attack,” he says.

“IT security professionals must be able to see everything in their environment, understand whether it is at risk, and then protect it.”

This means restricting BYOD – and dealing with backlash from employees who want the freedom to choose their own devices – is not necessarily the answer.

Instead, Frye recommends “implementing BYOD policies that clearly define the proper and appropriate use of employee-owned devices at work”.

To minimise security risks associated with BYOD, organisations could do worse than follow the advice of legendary management consultant Peter Drucker, who wrote “what gets measured gets managed”.

According to Frye, this means gaining visibility over the entire corporate network, from devices to operating systems, applications, users and network behaviours. This makes it easy to track device use and quickly identify potential security violations.

Policies and network controls are also important.

“On the corporate side, companies must create and enforce policies that regulate what data can be transmitted to BYOD users,” Frye says.

“For employee-owned devices, it may be useful to lock down your organisation’s network or computers – including laptops, desktops and servers – with capabilities such as application control.”

Outdated systems should also be replaced or supplemented by agile and adaptable technologies that are more responsive to change.

Many older systems are too sluggish and unwieldy to respond quickly to new security threats without assistance.

When it comes to operating systems, Frye says Android has proven to be more vulnerable to security attacks than any other operating system.

Cisco’s latest annual security report says 99 per cent of all mobile malware targets Android devices.

“Knowing this, consumers need to be even more aware of the security risks these devices pose,” Frye says.

Mobile Security Tips:

Stay Smart Online, a government cyber security initiative, offers the following suggestions for protecting your personal mobile security:

• Put a password on your phone and a PIN on your SIM card

• Set up your device to automatically lock

• Encrypt your data to secure your information if your phone is lost or stolen

• Be careful when allowing third-party applications to access your personal information, such as location. Always read permission requests before installing new apps or upgrades

• Install updates to your phone’s operating system as soon as they are available

• Back up your data regularly

• Do not click on unsolicited or unexpected links, even when they appear to be from friends

• Delete all personal information before recycling an old phone. Most phones have an option to reset to factory settings.

• Remember to remove or wipe any inserted memory cards, too

• Be smart with wi-fi and Bluetooth.

• Avoid online banking or financial transactions in busy public places and over unsecured wi-fi networks.

• Turn off Bluetooth when not in use

• Monitor your phone bill for unusual charges

• Ignore missed calls and text messages from unknown numbers. Responding to a scam text message or missed call could cost you a small fortune in premium rate charges

Amy Birchall is a staff writer at ‘Management Today’ AIM’s national magazine for members.