Computer Security Day. At last a social media holiday that offers an opportunity to take stock of the technologies that enable everyone’s socialness to check your current computer security posture. And this includes your smartphone.
The first Computer Security Day occurred in 1988. A time when computers proliferated in businesses and government but had yet to become a ubiquitous presence in every home and the portability of today mere science fiction. Looking back, it seems almost quaint. Today of course, there is a computer in every hand. The sheer volume of data created and increasingly sophisticated ways of monetizing it calls for unprecedented vigilance.
Today’s best practices allow for policing apps, encrypting data and looking for anomalies. But solutions for the full smartphone ecosystem don’t yet exist, and this leaves companies and users at the mercy of the motivated individual, company or country who’s trying to gain a competitive edge or financial advantage.
Because so many ways exist to gather information from smartphones – both legally and illegally – businesses should take a layered approach to securing enterprise mobile data as well as protecting the privacy of the mobile workforce. Here are 11 best practices to consider:
- Defining the security context/goals for the phone, applying the commonly used framework of confidentiality, integrity and availability for its functions and data.
- Leverage full disk encryption provided by device manufacturers in combination with policies for strong passwords, auto-lock after a short time and device wipe after limited number of incorrect entries.
- For data in motion such as calling and texting/messaging: Leverage 3rd party, open source, independently reviewed and vetted encrypted messaging apps such as Signal.
- For policy enforcement and scalable device management: Use mobile device management software.
- Create separate containers/environments for work and personal use in phones whose operating system allows it.
- Use mobile threat management software to detect known (and in some, limited cases, unknown) mobile attacks, jailbreak detection, etc.
- Keep the device OS updated/patched. Always.
- If developing custom, corporate apps: Verify and secure the development platform, apply secure coding best practices and ensure there is a plan and resources to keep apps updated on a timely basis.
- Use multi-factor authentication to increase access security to corporate resources.
- Use burner phones for international travel and/or take the phone off-grid (i.e. smartphone Faraday cage) while transiting high threat, choke point areas such as airports or while visiting confidential locations (e.g., M&A site visits, customer/partner meetings, etc.).
- Secure smartphone sensors when not in use or needed. These include microphones, cameras and RF signals, preventing surveillance and the leakage of sensitive information in the proximity of the device, even if the phone has been compromised by legitimate or illegitimate sources.
The bottom line: You should be in control of when you are tracked and monitored. That means adhering to best practices and always taking a proactive approach. Computer Security is a team responsibility, feel free to share this post with colleagues who may benefit!
Also, if you would like to learn more about advanced endpoint hardware and software solutions that provide security, privacy and control in an ultra-connected, sensor-driven world, contact us at privoro.com to learn more about our mobile security solutions and SafeCase for iPhone.