Imagine a tweet goes up for a company that reads, “Reports that our CEO has been charged with fraud are true. We will determine a succession plan at an emergency board meeting.” Yet, the CEO has been aboveboard and there are no active investigations. That could lead to bad press, a major hit to the brand, and possibly a lot of lost customers.
All it takes is for someone to hack into a company’s social media manager’s phone to send out these malicious tweets. Worse, if someone gets access to an employee’s phone, especially an executive’s phone, they can potentially gain access to company secrets or customer data.
Today, I want to discuss four tips for keeping mobile devices from becoming tools that can sow corporate sabotage. The tips here apply mostly to company-provided or registered devices, but a lot of the same applies to personal devices brought into the workspace. They still represent potential access points.
- Passwords and pins
Years ago, iPhones required 4-digit pins by default. Brute-forcing a pin like this doesn’t take incredibly long (one article claims around 111 hours, max). Smart criminals could cut down the time it takes to crack a pin by trying common combinations like 1234 or 1111 before running through the rest of the potential numbers. Now, Apple has users set six-digit pins by default. This is better, but still crackable for a determined hacker. To help keep your customers secure, enforce strong passwords or pins on any issued mobile device. The longer and more complex, the better. You may opt to have users set alphanumeric passwords rather than simple pins for added complexity.
Also, don’t count on mobile-based two-factor authentication (2FA) to save your customers’ accounts. SMS messages can easily be intercepted. A criminal would simply need some background information on a person to call a phone provider and ask them to switch the phone account to a new SIM card (in a technique called SIM swapping). After this occurs, the criminal can intercept SMS-based messages, including verification messages for bank accounts, email accounts, and more. (Consider asking the phone provider to only allow changes like these if the phone owner or an authorized person comes into the store and shows ID).
- Lost/stolen devices
People will lose phones or tablets. Some will get stolen. It doesn’t have to lead to a catastrophe. Make sure employees feel comfortable reporting lost or stolen devices. They need to realize that reporting is the right thing for the company, and they need to feel like they won’t run into a reprimand. Thank them when they report and reiterate that they made the right decision.
Once someone reports a missing or stolen device, you can protect your customers by remotely locking or wiping it. Losing a phone isn’t a huge deal (even if it’s a little costly); giving a criminal access to sensitive emails, to personal info for executives, or to critical systems is a huge deal. When shopping around for a remote monitoring and management (RMM) platform, pick one that offers the ability to remotely wipe or lock down mobile devices—like SolarWinds® RMM and SolarWinds N-central®.
Additionally, you may want to put in controls that lock the device after a certain number of failed login attempts to prevent someone from brute-forcing their way into a stolen phone. Also, make sure your devices use full encryption, which requires your passcode to decrypt the phone. This is easy enough to set up on most devices, so there’s really no excuse to leave your data open to exposure.
- Anti-malware and endpoint protection
Yes, phones and tablets get malware just like any other system. You may be tempted to think that only Android or Windows phones would run into this problem since Apple tightly controls what makes it to the App Store. However, iPhones aren’t immune to viruses either.
Consider adding malware or endpoint protection onto corporate phones. Some RMM platforms like SolarWinds N-central give you the ability to whitelist or ban entire classes of applications on mobile devices.
- User training
For mobile security, you need to keep humans from unwittingly shooting themselves in the foot. That’s why it’s crucial to train users frequently on best practices. It could be part of your larger user security training strategy; or you could send out recurring emails and reminders to your clients (which could also serve to reinforce your brand).
Regardless of the delivery, cover the following:
- Lost/stolen device policy: I mentioned this earlier, but encourage users to report lost or stolen devices immediately (and remind them they won’t get in trouble). The quicker they report, the quicker you can wipe the data on the device.
- Password rules: Cover your password policies for devices—and cover best practices for personal mobile devices. However, part of your job here will be to persuade. People don’t like the inconvenience of long passwords—so explain the consequences so they know the risks of weaker passwords.
- Updating apps: Out-of-date applications (and operating systems) leave open security holes on mobile phones just as they do on desktops and laptops. Remind users to keep everything up to date on their phones to avoid a cybercriminal exploiting a vulnerability.
- App permissions: Unfortunately, many users treat app permission requests the way they do end-user license agreements (EULAs)—they just click a button to accept without reading carefully. However, if they download a game, there’s no reason for that app to gain access to their contacts or photos or gain read/write access to their social media profiles. Most users don’t recognize the risks—so emphasize this and train them to take an extra second before accepting permission requests.
- Connecting devices: Tell customers to be careful about connecting their devices with other machines. This matters for both employees personally and for their employer. End users are often unaware of how much personal data they share when they hook up their smartphone to their work computer (such as personal contacts, photos, or personal text messages). Additionally, employees put the business at risk if they sync company-provided phones with home computers (which are likely less secure).
Mobile access can be secure
As users bring their own mobile devices to the workplace or use company-issued smartphones or tablets, the number of potential access points for cybercriminals grows exponentially. But if you take the right steps and train users to follow best practices, you can reduce the chaos and better protect your customers from catastrophe.
Marco Muto, director, Business Development at SolarWinds