Today’s corporate cell phone users are accustomed to an enormous amount of functionality from their hand held wireless devices. A wide variety of features, coupled with broadband connectivity, allows for quick and easy access to email, file transfers, internet browsing, etc. – from almost any location.
As the functionality of wireless devices continues to grow, so do the security risks of keeping stored and transferred data safe and secure. The following are a variety of safeguards that are essential for help in improving corporate cell phone security.
1) Utilize Built-in Security Features
For years, desktop computers have provided users with “built-in” security measures. Most hand held devices now include a number of configuration settings and security measures that are intended to thwart basic security attacks. Oftentimes, however, these features simply go unused.
User authentication mechanisms generally available on most handheld devices are PINs and passwords. Some of these mechanisms include a timeout feature that locks the device automatically after reaching an “inactivity” threshold. Employees should be familiar with and take full advantage of the security features that are “built-in” to their own personal communication devices.
2) Maintain Physical Control
A key issue that many organizations struggle with is deciding on whether to allow for employee-owned devices or stick with organization-issued equipment. From a security perspective, organization-issued devices are easier to control and manage. Not only can security controls be managed from a central location, but the devices themselves can also be configured to comply with corporate security policies.
Organization members should be encouraged to treat all wireless devices much like they would a credit card. A lost or stolen wireless device incurs not only the cost of the handset itself, but it also puts the sensitive data contained on it at risk.
Lending cell phones to friends and relatives should be strictly forbidden as a matter of corporate policy. Allowing access to wireless devices by individuals outside the organization opens the door for misuse, abuse and/or fraud.
3) Limit Data Exposure
Keeping ultra-sensitive financial and personal information on company-owned wireless devices should be avoided if at all possible. Although it may be convenient to keep PINs, passwords, account numbers and user IDs for quick access to online accounts, maintaining this sort of information on a wireless device should be avoided. It is best to store this information on a separate memory card until needed.
If the presence of this type of sensitive data cannot be avoided, always encrypt the information. There are many commercially available encryption applications for most of today’s current hand held devices. (NOTE: The need for encrypting data is another good reason for centralized control of wireless devices within an organization.)
4) Backup Data Frequently
Everyone knows that keeping important digital data in only one spot is a recipe for disaster. Never trust a mobile device to be the only repository for important information. Be sure to back up its data frequently to a desktop computer or stand alone hard drive. Backing up data onto a memory card is effective if the card is kept separate from the device itself.
5) Avoid Malware, Suspicious Apps and Software Downloads
Malicious programs can be spread to mobile devices through communications channels such as multimedia messages or Bluetooth connections. It is best to instruct users to treat any messages received from an unknown number with suspicion. Most malware requires a user to interact with the message to become active on the device. For example, malware that is propagated via a Bluetooth connection cannot install itself without user approval.
All organizations should have a policy in place that prohibits wireless users from downloading software from internet sites. Software installation should be centrally controlled within the organization at all times. Just as desktop PCs have safeguards to prevent employees from downloading and installing software, so do wireless devices. Some devices have application security features that prevent the installation of third-party software unless it is digitally signed.
6) Add Prevention and Detection Software
Malicious programs and unauthorized downloads cannot always be avoided. Therefore, it is best that each organization arm their wireless devices with prevention and detection software that will help curb malicious attacks of this nature. A wide range of products now exist in the marketplace for this purpose. These products simply expand the security that is already built into each device.
The most typical security features of prevention and detection software include: user authentication alternatives, firewalls, virus detection, spam controls, memory and contents erasure, encryption, intrusion detection, VPN, and others.
7) Deactivate Compromised Devices
If a wireless device is lost or stolen, disabling service, locking it, or completely erasing its contents can be achieved remotely. Always be sure to contact the wireless carrier in the event of a lost or stolen device. To help avoid excessive charges from the wireless carrier in the event of a stolen phone, it is adviseable to obtain a police report that outlines the nature of the incident.
Some handheld units such as the Blackberry, have the ability to lock or erase its contents remotely through a built-in mechanism. This action is triggered typically through the receipt of a message containing a pre-registered activation code. A company policy should be established that informs users of procedures for handling and reporting lost or stolen organization-owned devices.
8) Establish a Written Wireless Security Policy
All organizations should provide users with a written wireless security policy. This policy defines the rules, principles, and practices for which the organization treats all of its wireless resources. The policy should outline stated restrictions for personal use of the devices, such as limits on storage of personal information like music, photos, contacts, etc.
In short, the wireless security policy should reflect the organization’s views on security and its intent on keeping organizational data safe and secure. The success of such a policy lies on its quality, implementation and enforcement. A weak policy that is never enforced is not much better than no policy at all. Consult a qualified telecom consultant for help in constructing an effective wireless policy.