Employees often use their personal devices to access company data, such as email, posing a security breach if not managed well. Phone hacking is becoming common. There were two recent data security breaches on Apple and Google phones. Since they have the largest user base, the problem was, and still is, widespread.
All your phones belong to us
The recent Stagefright vulnerability on Android phones exposed millions of users to a serious data breach.
Using a specific type of text message, hackers can send a text to your Android phone to get complete control over your device. They can read email, siphon data out of apps (like Dropbox), and access photos. They can even turn on the phone’s microphone or camera without your knowledge!
This can be done without you even knowing, so if you have employees with Android devices, they must update their phones. Otherwise, you may be leaving your company data around for the taking. The company that found the flaw also released the exploit for testing purposes.
Never break your iPhone out of jail
The Apple hack wasn’t as bad, but points out another type of security problem.
More than 225,000 iPhone users had their phones compromised. This particular hack only affected “jail broken” phones. Jailbroken phones have been modified to bypass Apple security. This is usually done to download apps outside of the App Store. If your company distributed new iPhones (or refurbished iPhones you’re sure aren’t jailbroken) to your employees, you’re probably safe.
If you have a BYOD policy for phones, however, you may have a problem if any of your employees access company data from a jail broken phone.
Make a plan for mobile device security
Companies must find a way to balance productivity with security, while still allowing employees to access company data on their phones. Having the flexibility to work from any where at any time is a competitive advantage for businesses.
Putting a mobile device policy in place and making it mandatory for employees is crucial.
Here are some guidelines for a mobile device policy:
* Store all passwords in an encrypted password vault (like LastPass or 1Password)
* Don’t allow devices that are “jailbroken” or modified to bypass security features or gain access to information not intended for the user
* Keep phones updated with the latest security patches
* Do not connect to any computer that isn’t using updated malware detectors
* Create a written policy on what users can do with company data
* Hold training sessions so that all users know the restrictions
* Categorize what content is ok to access and what needs to be kept off personal devices
* Require a passcode on personal phones used to access company data
A mobile device policy isn’t going to protect you all the time. There is no 100% guarantee when it comes to data security of any kind, mobile or otherwise. But a strong policy, tailored to your company’s needs and enforced, will go a long way to mitigating your risks.
Does your organization have a mobile device policy in place? Let us know in the comments!