When employees want to use their smartphones for work, it poses many security concerns. Karl McDermott offers his advice for keeping your business data secure.
With 64pc of Irish business owners now relying on their smartphones to get work done, it’s important that smartphone security doesn’t get overlooked.
A recent survey by Three highlighted the changing shape of technology for Irish businesses. The majority of business-owners surveyed agree that their smartphone is now the single most important piece of technology at work.
While many Irish businesses maximise the mobility and flexibility that smartphones offer, they may not be aware of the level of security risk posed.
‘Smartphone hacking is less of an attack and more of an infiltration’
Just like a desktop PC, a smartphone is a network endpoint and, therefore, a potential network security weak spot.
In the past, hacking attacks often had no higher purpose than crashing a device, but smartphone hacking is now less of an attack and more of an infiltration. Using malware, hackers can secretly access and extract the phone’s data, before sending it to a third party who can use it however they want.
‘But who would want my data?’, you might ask. ‘It’s not valuable enough to be worth stealing.’
The fact is, any data has a value to someone, and its loss will have a cost to your business. Even something as seemingly innocuous as a few employees’ email addresses can have a use for today’s sophisticated criminals.
Another threat is ransomware, which infiltrates a device to encrypt data, rendering it unusable. A small Irish hardware rental business recently paid a ransom of more than €2,000 to regain access to their files, and lost two weeks of income while the files were out of action.
The vulnerabilities you need to know
As hackers increase their efforts to exploit smartphones’ vulnerabilities and access valuable business data, what steps should you take to protect your smartphone – and your business?
Never forget that smartphones have the same vulnerabilities as desktops and tablets. They need to be specifically included in the security advice you provide to employees. There are also security precautions specific to smartphones, which need to be included in your IT security strategy. Desktop PCs, for example, don’t go to bars and nightclubs. A smartphone goes wherever its owner goes, making it more vulnerable to loss or theft.
Security must always outweigh convenience. All business devices should have a different, unique passcode, which is regularly changed and never shared. As the smartphone is regularly out of your office network’s security perimeter, users should be reminded that public networks are just that: public. If a network doesn’t demand credentials, then anyone can log onto it, and potentially anyone can gain access to data transmitted over it.
Apps are a particular vulnerability of the smartphone. Users will download an app, skip reading the permission requests and just click ‘accept’. That’s when the trouble starts. The app takes up residence on the device and, if it is malware – whether that’s because the app is badly written or written with malicious intent – it siphons off data.
Always check the ratings and number of downloads an app has before you download it. Read the permissions requested and, if an app wants access to your emails, or a health tracker wants access to your photographs, ask yourself why and don’t download it if suspicious.
Keep your apps up to date. You can opt into notifications through the app settings to let you know when there is a new update to download. Many of these updates fix bugs that can be potential security loopholes.
Security with a sandbox
A huge amount of employees use their own personal devices for work. It’s also common for work smartphones to be used in personal lives. One of the most effective security measures you can take to enable this flexibility, while protecting your business data, is to install a secure ‘sandbox’. This is where corporate emails, intranet access, file-sharing and other line-of-business tools can reside, untouchable, by the device’s native applications.
There’s no danger of data leakage or risk of virus cross-contamination. Meanwhile, for the end user, there’s complete transparency of operation, no obstacle to accessing the data or tools they need, and no compromise in accessing non-work related websites or applications that are not pre-approved by the employer.
What the sandbox doesn’t do is protect the employee’s personal data but, even on a business device, that’s their responsibility, not yours. After all, as a business owner, your only concern is your business data and, with the rise in smartphone usage, that’s quite enough for you to deal with.
Karl McDermott has been the head of ICT at Three Ireland for more than two years. With over 15 years’ management experience, he leads a team of business and technology consultants. Before Three, he worked as an engineer, with both a bachelor’s and master’s degree in engineering.