Last year I wrote on ways to protect your mobile devices – Is your slip showing? In this article, I listed some of the things you can do to protect your devices, the data on them and your business.
Recently, the Australian Institute of Company Directors (AICD) had a weekend break-in that resulted in the theft of a laptop -yes that’s right just 1 laptop. Unfortunately, this device had details – including name, address & date of birth – for 66,000 members. The report on how it all happened, the manner in which the AICD handled it (or didn’t) and the dramatic outcomes for this iconic association will make an interesting reading.
In the meantime, I’ve reviewed what I wrote last year and have tried to bring it up to date for you.
#1: The Basics
These won’t make you secure, but without them you have no chance.
- Strong Passwords:
If you have sensitive data on your mobile devices, they need to be password protected.
The password should be as strong as practical. Not a 40 digit series of random numbers but something that balances your ability to remember it (and enter it n times per day) against the ability to hack it. You want to wipe the device after 10 password failures or so.
- Auto-lock:
Along with the password, you should set an idle timeout after a period of inactivity. Finding the right setting is about your threshold for inconvenience and entering the password. 5 minutes is more than long enough.
- Keep all system/application patches up to date, including Mobile OS and installed applications.
Unless you are checking constantly that the mobile device remains with your configuration policies, you can be fooled. Just because you set up a device correctly doesn’t mean it stays that way – downloading a application patch can reset your configuration to factory defaults.
- Data Encryption
For devices (including phones) that support encrypted communication (SSL, https, VPN, etc), always configure defaults to use encryption.
#2: Remote Wipe
Despite your best efforts, some of us will lose our devices. Or our kids will drop them. Or they’ll break and be sent in for service. What happens isn’t important just understand that you won’t always be in control of your device and that introduces risk for you.
You need the ability to eliminate the data on the device remotely. This doesn’t have to be complicated. Authenticate properly and nuke it from the galaxy. Hopefully you backed up your device.
Ultimately if there is sensitive data on the mobile device, you need to be able to wipe it from anywhere in the world. Having an auto-wipe policy in case of 10 password failures is critical. At some point, someone will try to get into your device and that’s when you want to be able to get rid of the data. (One caveat: in order to wipe the device you must be able to connect to it – so flight mode won’t work in this case)
#3: Lock down Network Access
Lets be honest, most public wireless networks are the equivalent of a seedy back alley. Get a little selective about what networks you connect to.
The AICD story highlights that it’s not a matter of if, but when. And when it happens, you’ll need to know that the critical information on your mobile devices is protected and you have a plan to support these devices. That means you need to keep apprised of the current attacks being used against mobile devices, and also that you need to pay attention to both the process and the technologies used to protect them. (Along with all the other stuff on your plate every day.)
PS! If you have staff – what’s on their mobile devices that belongs to your company?