Archival article
Mobile device security in 6 steps
Mobile devices, often elude security specialists. Even if they are included in procedures it is most often insufficiently so. Here are 6 points that should be on your "checklist".
Step one – mobile device security begins at purchase planning
Few people, when planning their purchases of fleets of phones, pay attention to such a detail as the manufacturer’s declared length of support. Rather, they take into account performance, model, brand, or simply choose in terms of price and acceptable components. This is the wrong way. Support = security, especially for Android-based devices, because in this case how many manufacturers, so many approaches to the issue. So security for mobile devices should start with purchase planning.
Step two – a relaxed approach to passwords
Here there is no great philosophy, it is necessary to ensure that users of business smartphones regularly change their passwords. Just as they do (we hope) on company computers. For mobile devices, you need to introduce a password policy similar to that for domain logins. It will be more secure.
Step three – firmware updates
Firmware updates are one of those things that users don’t like to do. However, they need to be persuaded to do it. Otherwise, what we describe in the first step will be pointless. This is probably the most problematic of all points, and it’s hard to control this without a central mobile device management system. How to organize such a system, what tools to use and what benefits this brings we will write in the next text. If you lack such a system, you simply need to keep track of news about updates and security patches for all the smartphone models you have in stock. And then simply remind, admonish, ask and threaten. Eventually, users will learn.
Step four – profiling the smartphone
Unfortunately, smartphone profiling is a bit like the Yeti. Everyone has heard of it, but few have seen it. When preparing corporate standards related to mobile device security, you have to anticipate that users will want to install for themselves whether they want to install apps or access private mail. And then the data security problem will begin. The best solution is to configure a new device with security recommendations in mind. Along with the device, the user should read the rules and confirm acceptance of the information related to what is allowed and not allowed to do with the company’s smartphone. We recommend here on the list of “must not” to indicate, among other things, the installation of untrusted email clients, the handling of private mail or self-installation of applications from outside the official application distribution centers (Google Play or AppStore).
Step five – carelessness and misconceptions
A large number of smartphone users come from the belief that since they have a new device, they are in no danger. This is wrong, as new malware for mobile devices appears almost every day. Cybercriminals are now “producing” more malware for smartphones than for computers. Why? Because it’s easier and simpler. When it comes to the security of computers, servers or infrastructure, cybersec has years of experience and billions of dollars spent on their improvement and development. In this comparison, smartphones are virtually unprotected, and since this is the case, from the point of view of cybercriminals, attacks targeting these very devices will be more effective. One popular method of attacking smartphones is to post “pirated” installation packages for Android. Quite a few people use them. As we all know, nothing is free, so a free application provided by pirates includes malicious code as a bonus. That’s why point four is so important.
Step six – “no name” brand accessories.
Probably this point will surprise you. What do accessories have to do with safety if they meet standards for amperage or port size? We know of a case of a charger that, in addition to performing its primary function, simultaneously captured data. In its casing it had a microprocessor with a keylogger and a code that used cell phone communications to transmit “tapped” data. From the technical side, it is somehow not very complicated. So, instead of saving the budget by buying accessories of unknown origin, it is better to choose original ones. We will never have a full guarantee of security, as evidenced by information appearing from time to time about backdoors of manufacturers and applications installed in addition to the basic code, but nevertheless we will increase the level of security in this way. We will also take care, by the way, of the life of the company’s devices, for example, batteries.
Mobile device security – it’s not difficult
As can be seen from the text above, to take care of the basic level of security of mobile devices, advanced equilibrium is not required. A few organizational solutions and enforcement of their execution by users are enough. As we mentioned above, this is a basic level. If you would like to do it really well and achieve a higher level of mobile device security without a professional central mobile device management system, you can’t do without it.