Today’s corporate cell phone users are accustomed to a plethora of features on their handheld wireless devices. A wide variety of features, along with broadband connectivity, allow quick and easy access to email, file transfers, Internet browsing, and more. – from almost anywhere.
As the functionality of wireless devices continues to grow, so do the security risks of keeping stored and transferred data safe and secure. The following are a variety of safeguards that are essential to help improve corporate cell phone security.
1) Use built-in security features
For years, desktop computers have provided users with “built-in” security measures. Most portable devices now include a number of configuration options and security measures intended for later basic security attacks. Often, however, these features are simply not used.
The generally available user authentication mechanisms on most handheld devices are PINs and passwords. Some of these mechanisms include a timeout feature that automatically locks the device after reaching an “inactivity” threshold. Employees should be familiar with and take full advantage of the security features that are “built into” their own personal communication devices.
2) Maintain physical control
A key issue many organizations struggle with is deciding whether to allow employee-owned devices or stick with organization-provided equipment. From a security perspective, organization-issued devices are easier to control and manage. Not only can security controls be managed from a central location, but the devices themselves can also be configured to comply with corporate security policies.
Members of the organization should be encouraged to treat all wireless devices like a credit card. A lost or stolen wireless device not only incurs the cost of the phone itself, but also puts the sensitive data on it at risk.
Loaning cell phones to friends and family should be strictly prohibited as a matter of corporate policy. Allowing access to wireless devices to people outside the organization opens the door to misuse, abuse and/or fraud.
3) Limit data exposure
To the extent possible, keeping highly sensitive financial and personal information on company-owned wireless devices should be avoided. Although it may be convenient to retain PINs, passwords, account numbers, and user IDs for quick access to online accounts, keeping this type of information on a wireless device should be avoided. It is best to store this information on a separate memory card until needed.
If the presence of this type of sensitive data cannot be avoided, always encrypt the information. There are many commercially available encryption applications for most of today’s portable devices. (NOTE: The need to encrypt data is another good reason for centralized control of wireless devices within an organization.)
4) Backup data frequently
Everyone knows that keeping important digital data in one place is a recipe for disaster. Never trust a mobile device to be the only repository of important information. Be sure to regularly back up your data to a desktop computer or separate hard drive. Backing up data to a memory card is effective if the card is kept separate from the device itself.
5) Avoid malware, suspicious apps and software downloads
Malicious programs can spread to mobile devices through communication channels such as multimedia messages or Bluetooth connections. It is best to instruct users to treat any message received from an unknown number with suspicion. Most malware requires user interaction with the message to activate on the device. For example, malware that spreads over a Bluetooth connection cannot be installed without user approval.
All organizations should have a policy that prohibits wireless users from downloading software from Internet sites. Software installation should be centrally controlled within the organization at all times. Just as desktop PCs have protections to prevent employees from downloading and installing software, so do wireless devices. Some devices have application security features that prevent the installation of third-party software unless it is digitally signed.
6) Add prevention and detection software
Malicious programs and unauthorized downloads cannot always be prevented. Therefore, it is best for every organization to equip their wireless devices with prevention and detection software that will help curb malicious attacks of this nature. There is currently a wide range of products on the market for this purpose. These products simply extend the security that is already built into each device.
Typical security features of prevention and detection software include: user authentication alternatives, firewalls, virus detection, spam controls, memory and content wiping, encryption, intrusion detection, VPN and others.
7) Disable compromised devices
If a wireless device is lost or stolen, it can be remotely disabled, locked, or completely wiped. Always be sure to contact your wireless service provider if a device is lost or stolen. To help avoid excessive wireless carrier charges in the event of a stolen phone, it is recommended that you obtain a police report that describes the nature of the incident.
Some portable drives, such as Blackberry, have the ability to remotely lock or wipe their content through a built-in mechanism. This action is usually triggered by receiving a message containing a pre-registered activation code. A company policy should be established that informs users of the procedures for handling and reporting lost or stolen devices owned by the organization.
8) Establish a written wireless security policy
All organizations must provide users with a written wireless security policy. This policy defines the rules, principles, and practices by which the organization treats all of its wireless resources. The policy should describe the restrictions placed on the personal use of the devices, such as limits on the storage of personal information such as music, photos, contacts, etc.
In short, the wireless security policy should reflect the organization’s views on security and its intent to keep the organization’s data safe and secure. The success of such a policy lies in its quality, implementation and compliance. A weak policy that is never enforced is not much better than no policy. Consult a qualified telecommunications consultant for help in building an effective wireless policy.