Poor mobile security is responsible for at least 25% of attacks against businesses. These attacks—as simple as devices being stolen—can happen to anyone in an instant, and are devastating when you have no way of deleting the data on that device.
The security of your business directly impacts whether your customers continue to support and trust you, or lose confidence and shop elsewhere. When the average data breach costs American businesses $7.9 million, it’s no secret why 60% of small businesses don’t last six months post-breach. This article looks at six points your mobile security plan must include to mitigate risks:
This thorough look at mobile security may be overwhelming. Read everything over, realize the size of the task before you, and then make a plan for steady progress through it all. The article is written so each step builds on the next. With each step you complete, your business is more secure.
Mobile security starts with employees
There is no way to have mobile security with one employee as the sole person responsible for securing everyone at a company. Each employee must know their role for mobile security to be effective. Here are three recommended actions:
- Have IT security policies as part of employee onboarding from day one. Teach them the basics for their specific role.
- Create ongoing training covering email phishing, social engineering, credential reuse attacks, and ransomware.
- Make this ongoing training entertaining by using a variety of media. Play YouTube videos, such as the one below. Share articles from our blog. Bring in speakers. Use tweets from industry experts. You have to realise that one type of media will not connect with every employee.
If you have the budget, there are a number of online security training programs employees can take. The most difficult part of any mobile security program is changing user behavior. The right training can change behavior to be more security-minded. Here are three recommended programs :
- SANS: EndUser Training Suite
- KnowBe4: Automated Security Awareness Program
- Infosec Institute: Need to Know Program Plan
These training sessions are administered by experts in their field, with SANS and the Infosec Institute being two of the most trusted online security organisations. KnowBe4 is even run by famed former-hacker Kevin Mitnick.
Control your routers and networks
With the human and educational side underway, the next step is stepping up your network security —especially your Wi-Fi access points and routers. Why? Because what hackers can do with control of your routers is disturbing:
- Be used as a direct attack vector on mobile devices which connect to your network.
- Monitor all activity on the network.
- Send users to fraudulent websites, such as banking websites or web-based email, and steal the login credentials.
- Force devices to download malicious software when they are in the process of downloading legitimate software.
- See any files being shared over the router, including sensitive work documents.
Doing the things listed above on a router which has not been properly secured aren’t difficult. A router can be remotely taken over in less than five minutes:
- Connect to a Wi-Fi network using their network name and password.
- Click on the Wi-Fi icon of your device and then Properties. Next to “IPv4” you’ll see an IP address like 10.0.0.1, 192.168.1.1, or 192.168.2.1.
- Put the IP address in a browser. You’ll now see a login page for the router like the image below.
- Most routers never have their default login changed. These default logins are often published online, or written on the bottom/back of the router. The username and password are usually “admin”, sometimes they’re creative and the password…is “password”.
- Once you log into a router you own that network. With the right skills or tools, you can do any of the attacks listed above. The simplest thing that you can do is change the network name and password so that everyone is kicked off the network and can’t get back on.
Doing this “hack” takes a minimal amount of knowledge and no skill. Security researchers often do this as a demonstration and then put everything back to normal.
If someone with malicious intent does this you will not be so lucky. They will own your internet and can monitor the activity of your mobile devices and anything else going on over the network.
How to secure your router
Securing routers is absolutely essential, and relatively easy to do:
- Is the router’s username and password “admin” or the default? Change it now.
- Is the manufacturer’s password written on the bottom of the router? Change it now.
- Are the network’s login credentials written somewhere public? Change and hide them now.
Your router may differ, but here are the basic steps to take:
The next step is to invest in a firewall. You can use either software or hardware. Recommended hardware includes Firewalla and Glasswire Pro. They will offer you support on how to set them up with minimal technical know-how.
Wireless admin settings
Look in the router settings for one which restricts changes to the router to only being allowed on directly wired connections. Allowing for wireless changes to the router’s settings is convenient for both you and hackers, and is used in the “hack” demonstrated above. Only allowing wired connections to change your router settings closes a vulnerability. Also make sure remote administration is off. Remote administration means anyone on the internet could try and hack into the very core of your network.
Here’s an example of a router screen where you can change those settings:
Setting up multiple networks
Stay in the settings. See if your router is Multi-SSID enabled, meaning you can create multiple networks. For now, create at least two networks:
- A wireless network for employees.
- A separate network for guests.
Hackers can access your network and start poking around if you give the same network access to everyone. The separate network for guests—including customers, visiting businesses, vendors, and anyone else whose device you can’t control—restricts easy access to your work network and everything connected to it.
Feel free to get more granular with your network if you feel it will help. Some businesses have different networks for separate departments, others create one for executives with fewer restrictions. Think about how your business can best divide network resources, or keep it simple with two!
Technology stack assessment
Now you need to look at all the apps that your business uses. To use an industry term, this is assessing your technology stack. This should be a reoccurring aspect of your business to prevent software bloat, keep costs down, and minimize shadow IT.
Your goal is to discover every app your business uses—free or paid—to get work done. Here are examples to look for:
- Social media: Twitter, Facebook, Hootsuite
- Marketing: MailChimp, HubSpot, Marketo
- File sharing: Dropbox, Box, Drop Send
- Cloud storage: Microsoft One Drive, Citrix, Google Drive Enterprise
- Chat apps: Slack, Microsoft Teams, Discord
- Productivity apps: Asana, Trello, or Basecamp
- Specialty software: Salesforce, QuickBooks, Procore
You need a clear picture of what tools are being used, who accesses them, who needs to access them, and to see if you can eliminate duplicate apps. I suggest you put together a spreadsheet. Here’s an XLS spreadsheet example to help you get started:
You may choose to not use that exact spreadsheet, but you will use some of those column headings in some form. Here’s a breakdown of each column heading’s importance:
- App Name: This can be the most effective column as you can sort the apps alphabetically and see the duplicates.
- Admin Username/Login: You need to track who controls the app and the email they use to do so. It has to be a company email.
- Department: Useful to see how many apps are in one particular department, and see why you have duplicates.
- Business purpose: Is the app used for customer management, social media interaction, or accounting? Record the actual business use of the app here.
- Number of users: Get an idea of how big a task it will be to move people from one app to another, or help you choose between two similar apps.
- Features: Cross reference against features in other apps to see which are similar. List as many features as you can.
- Integrations: Some apps require other apps to function properly. There may be apps which you cannot get rid of without having to get rid of another.
- Risks: Research any known security risks. This can include a lack of end-to-end encryption, password protection of files, and past data breaches.
- Security features: List the tools that the app has built into it to protect your staff. Be sure to look at their encryption protocols, two-factor authentication, password policies, and if the app is still updated regularly.
- Cost: If an app is free be sure to list whether or not it shows advertising or tracks user data—or both—to pay its bills.
You never know what you are going to turn up when this task is done. You may find that your customer support team chose an app to solve one particular problem, but the marketing team was already paying for a similar app. Now instead of being able to integrate data between these departments it is separated by two paid apps. This is why assessing your technology stack and consolidation is important.
Assembling and presenting your technology stack
Collecting all of this data will be difficult. Make it easier by:
- Having all managers speak with employees to see what they’re using.
- Sending managers a simplified version of the above spreadsheet to add the apps their department or team uses.
- Speaking with managers and getting the list of apps from their department.
- Consolidating the separate sheets into your own spreadsheet.
Here are my recommendations for proceeding once you have all of the data:
- Arrange the app name column alphabetically and see if you’re paying for the same license twice. Assess how to consolidate that.
- Look for redundant features amongst different apps and figure out how you can consolidate those.
- Check to see if two apps which integrate with one another have a single app which can handle both tasks.
- Find replacements for apps which lack essential security features or have too many risks.
- Beyond this, it is going to come down to your personal judgment. Involve others in this discussion who may have more knowledge.
This is not an easy project and will likely involve a lot of back and forth between yourself, managers, and employees. They need to feel included so that you have their support once you make changes.
Be sure to have a meeting where you gather all of the managers together and discuss your findings. You must give everyone plenty of time to transfer data and adjust workflows if you are going to eliminate apps.
Improve your mobile app security
Once you have chosen all of your apps the work is not done. Now you need to work on further securing the apps you’ve chosen:
- Admin: Make sure that a member of upper management is the admin, even if a junior employee created it. The person who controls the account controls the data.
- Password: Set a secure password for the admin access. Use a minimum of 12 characters with mixed upper and lowercase letters, numbers, and symbols.
- No sharing: Institute a “one user, one account” rule. No one should share accounts at any level of your organization. Not only is sharing accounts a security risk, it’s also an accountability risk.
- Two-factor authentication: Every account will be better secured with two-factor authentication. If an app doesn’t have this use apps such as Google Authenticator, Authy, or Duo Mobile to add that layer of protection.
- Brute force: Limit the number of failed password attempts that can occur before the account is locked. Limiting password attempts minimizes brute force and dictionary attacks.
- Permissions: Check to see if the app requires permissions to other sections of the device. Since data can leak from these connections, deny these permissions as often as possible for the app to still work.
Each of the steps above exist to make things more difficult for a hacker. If you make yourself a difficult enough target they will move along to an easier one.
Mobile Device Management (MDM)
Mobile device management simplifies your mobile device security. Device management allows you to manage security settings, apps, and data on devices. Useful features include:
- Locating or wiping lost/stolen devices
- Enforcing password policies
- Setting required and optional apps
- Controlling where employees can download apps from
- Updating network passwords without manually sharing them
They are the single most effective tool in mobile device security.
Mobile device distribution method
Mobile device management starts with how you distribute your mobile devices. If you want to keep things simple, mobile devices can be classified as either personal or corporate. Personal devices are owned by employees, and corporate devices are owned by the company. Industry standard terminology uses four different distribution methods for mobile devices:
- COPE: Company Owned, Personally Enabled. The company owns the device but the employee enables it. The device can be used for non-work purposes, but it belongs to the company and will be returned when the employee leaves.
- COBO: Company Owned, Business Only. This used to be the common practice, and some still do it. The most common COBO devices have been specialized, such as smartphones which scan and track inventory.
- CYOD: Choose Your Own Device. Employees choose from a list of devices which meet business security needs. Either the company pays for the device and gives it to the employee indefinitely, or they provide a monthly stipend for the device.
- BYOD: Bring Your Own Device. The employee uses their personal device for work. There is minimal control of these devices, but employers like how it saves them money while also increasing productivity.
You don’t have to choose any particular method as a mix can be used depending on what works for your company. Your main concern is making sure every device with company data on it meets minimum security standards.
1: Core use of an MDM
There are basic security features an MDM provides which are 100% focused on mobile security. You can read about them more in our User Guide documentation, but here’s a breakdown of the features offered by the most useful MDM solutions:
- Locating lost devices
- Deleting data from devices which are lost or stolen
- Wi-Fi profiles for easy onboarding with no password sharing
- Quick and easy off-boarding of employees that leave
- Push security updates to apps
- Force password standards
- Notify you of devices which don’t comply with your security standards
Something as simple as being able to delete the data from lost devices can eliminate 25.3% of data breaches.
2: How an MDM impacts each mobile security need
The core features of an MDM apply directly to each of the aspects of mobile device security looked at above. Here’s a look at all of the major headings in this article and how an MDM impacts them:
- Mobile security starts with your employees: Having a mobile device management tool on employee devices serves as a constant reminder of security expectations. Your MDM can enforce security standards, like password policies.
- Control your routers and networks: Have better control by changing your network passwords often through the Wi-Fi profiles you create. You can change the password and have it automatically pushed to all employees and eliminate unauthorized users.
- Technology stack assessment: With your assessment complete, mobile device management software dictates which apps employees are and are not allowed to download onto their devices. Essential apps can be pushed to every device automatically. Your technology stack assessment is harder to enforce without an MDM to restrict and enforce company apps.
- Data sharing and storage security measures: You choose which tools are used for email, backup storage, as well as calendar and contact syncing. Leaving these choices up to employees can lead to data loss.
Mobile device management helps your tablet and smartphone security in a wide variety of ways. If you are still not sure if this software applies to your business, feel free to use the contact button below to speak with us.
Data sharing and storage security measures
VPNs (Virtual Private Network) are used by employees who operate outside of the office as they secure connections with encryption. They add another layer of security to all mobile devices. A VPN is essential when an employee:
- Works remotely from a network they don’t control (coffee shop, restaurant, airport)
- Visits another business and must access sensitive company data over an unknown network
- Attending a conference
- Visits another branch of your business
If employees communicate over the internet, company data will be better protected with a VPN. Here’s an explainer on how they secure communications.
Backing up mobile data securely
Mobile devices are mobile—they get lost, stolen, broken, and used as frisbees by bored children. Employees who create and manage work data on their mobile devices need a plan for data backup because of this.
If you use apps which back data up to the cloud you will be fine. Those who create documents on their mobile devices need mobile data backup software. The usual consideration is backing up data from different sources:
- Email: If your email isn’t already cloud-based you need to reassess your provider as this is an industry standard.
- Calendars: These are usually cloud-based. There are options for turning off synchronization across devices which can impede this.
- Contacts: This is another time when you can choose not to synchronize across devices. Make sure it’s enabled to recover this vital business data.
- Messages: Anything sent via SMS can be backed up, but it’s not very simple. Android devices have 25MB of free SMS storage, but need a Google One account to back up images sent via SMS. On iOS open the Settings app, go to Settings > iCloud > Storage & Backup. Make sure everything you want backed up is green.
- Files: Cloud storage options include Dropbox, Google Drive, and One Drive. This can be automated with auto-sync features between a folder on the mobile device and the cloud storage.
All of these methods require the proper scrutiny of the security offered and strong passwords for protection. Securely backing up files should be the major concern as this is where the bulk of work data will be stored.
Mobile data security app
An option we offer for secure, cloud document storage is our own SKY DOCS. This secure collaboration tool offers more than just a cloud backup:
- Document watermarking so that the owner of the document is clearly established.
- Password protection for documents to make sure only the proper people can access it.
- Controls on who can edit the document versus view-only capability.
- Revoking access to documents. This is useful for contractors who need access for a limited time.
These advanced features are applicable to a wide variety of business scenarios. Use the button below to discuss SKY DOCS with us today.
Traffic Light Protocol
Where VPNs are a virtual way to secure data in transit, Traffic Light Protocol (TLP) is a hands-on protocol for securing data. The creator of any data sets the standard for how that data is to be shared. Options include:
- White: The only restriction on the data is basic copyright law.
- Green: Anyone in the company can access the data.
- Amber: Those in a predetermined group—such as a department—may view the data.
- Red: No sharing beyond those who directly receive the data from the originator.
Data can be marked with the colours or the words on the document to let people know how to treat the data. While this isn’t a sure thing by any means, it does help instill a data security mindset.
Here’s a helpful image you can use and post around the office.
Mobile security is never complete: residual risk
There is no “done” in mobile—or computer—security. New threats emerge, new weaknesses appear, security is one task that is always on your list.. Even if you do everything above there will still be residual risk. That risk will come from flaws in apps, mistakes made by employees, and other security risks which can’t be foreseen.
Your concern should be minimizing the risks to as small an amount as possible, and you can do it by continually assessing what we looked at above:
- Mobile security starts with employees
- Control your routers and networks
- Technology stack assessment
- Mobile Device Management
- Data sharing and storage security measures
I recommend setting a schedule for looking at each of these in turn. Yearly would be the minimum, every 6 months would be better. Too much work? Assign a security officer in your company to the task.
For help getting set up with mobile device management software, and assistance on how it can be incorporated into the mobile security of your specific business, use the button below to contact us now. We can give you a live demonstration of the tool, and chat about how it can help your business, employees, contractors, and customers.