9 Practical Ways to Strengthen Your Company’s Mobile Security

It’s an unavoidable security reality: portable devices like laptops, smartphones, and tablets require a bit more security consideration than static devices that “live” on site.

But their sheer lose-ability and steal-ability is just one issue. We also have to think about the wireless networks they interface with when out and about; the security of the authentication factors they use; and the company IT policies (or lack thereof) that their users are party to.

So aside from the usual advice around using strong passwords, installing antivirus software, investing in cybersecurity training, and the ever helpful “just don’t lose it”, what else can you do to boost your mobile security?

Encrypt Your Mobile Devices

Encrypting your data “at rest” (i.e., when it’s sitting on your drives or device storage) is excellent security practice. You should absolutely consider encrypting data on servers, PCs, and other static devices.

However, the true protective power of at-rest encryption really comes into its own when you use it to protect the data on laptops and mobile devices. Therefore, if the devices are lost or stolen, the data held within is safe from prying eyes. Most modern smartphones will have some level of onboard data encryption enabled by default, though it always pays to give your own device settings a quick check. Privacy-oriented search engine DuckDuckGo has published this handy guide to help you secure your Windows, Mac, iPhone, and Android devices using their own in-built capabilities.

Properly Dispose of SIM Cards & Mobile Numbers

SIM cards may seem like just another bit of metal and plastic detritus, but when you’re moving to another network, changing your SIM, or disposing of a number, SIM cards aren’t just something you should simply discard.

First, let’s talk about disposing of the physical SIM itself. Firstly, make a note of the SIM’s ICCID – that’s the long serial number on the back of the SIM. This way, you can better document that the card has been destroyed. The actual destruction part is easy – simply cut the whole SIM card through the metal part with scissors.

However, that’s just the physical part of the equation. If you’re porting the same number to a different SIM or network, just destroy the old SIM and discard it however you see fit. But if you’re retiring a mobile number, there are a few other things to bear in mind.

Firstly, multi-factor authentication. Is that mobile number set up to receive multi-factor authentication texts or calls from a given login or piece of software? If so, then remove that number from those logins or simply close those accounts outright if someone is leaving your company.

Networks reuse numbers that are no longer in use. You don’t know who’s going to get their mitts on that number next, so you don’t want to give them the ability to authorise themselves as the number’s previous owner!

Secondly, logins. An increasing number of tools allow you to log in with your mobile number instead of the usual email address or username, so make sure that any such accounts are deactivated or their login credentials changed.

Related Reading: 3 Surprising Ways Cyber Security Meets Physical Security

Disposing of Devices & Drives Securely

If you’re getting rid of a device with on-board storage like a mobile phone or pen drive; or you’re getting rid of an old PC with a hard drive or SSD, you need to make sure that the data on those drives is securely destroyed.

Let’s discuss mobile security first. Remove any microSD cards, log out of all accounts on the device, and enable encryption as above. Let the encryption complete, and then perform a full factory reset. A full device wipe on top of already encrypted data should be more than enough to keep you protected.

Advice surrounding hard drives, pen drives, and SD cards depends on how sensitive that data is and/or how paranoid you are about ensuring its destruction. Yes, we know that Windows’ Quick Format does look like a tempting option on a hectic, time-poor day, but it’s nowhere near enough to render the drive’s data irretrievable.

Software is available that can format a drive, overwrite the whole drive with junk, then format it again. You can carry out as many “passes” of this process you like – the more you do, the less likely the data on the drive will be recoverable.

However, if you don’t need to reuse the hard drive and the data on it is particularly sensitive, then physically destroy it. Crush it, hammer it, give it a trendy new piercing in a drill-press, the world’s your oyster! Just don’t microwave it, ok?

Solid State Drives (SSDs) are a little easier to securely wipe. Head to your drive’s manufacturer’s website and see if they have software available for your drive called “Secure Erase” or something similar. This resets the memory chips to a completely neutral state, effectively destroying any data held within whilst still leaving you with a usable drive.

Exercise Caution Around External Storage Devices

If you don’t know or trust the origin of a pen drive or Bluetooth enabled device – don’t attach/connect it to your enterprise network. Simple as.

There are a couple of things that could go wrong if you do go plugging in strange devices willy-nilly. On the more innocent end of the spectrum, you may be asked to plug in a pen drive that a colleague has brought from home or be asked to connect to their personal phone’s Bluetooth on a networked device. Our advice? Refuse politely but firmly.

There are a couple of things that could go wrong if you do go plugging in strange devices willy-nilly. On the more innocent end of the spectrum, you may be asked to plug in a pen drive that a colleague has brought from home or be asked to connect to their personal phone’s Bluetooth on a networked device. Our advice? Refuse politely but firmly.

Their home devices and network may not have the same levels of protection as your enterprise network, so by plugging that device in, you may end up infecting your workplace.

Our next potential happenstance is considerably more insidious. If a cyber criminal is targeting your organisation, they may place a tempting-yet-infected device in the premises car park, ready for someone to waltz by and enact that age-old psychological bylaw of “finders keepers”. It’s called a baiting attack.

The attacker may up the ante by making that drive particularly tempting. Low-capacity no-name pen drive are ten-a-penny nowadays, but a sleek 64GB drive? A name brand 4TB portable drive? It might be enough to turn someone’s head. Stay vigilant.

Don’t Leave Bluetooth Enabled

Yes, Bluetooth is super useful. It links our mobiles to our headphones, cars, and wearable devices. Yet whenever a given technology becomes widely used and available, cyber criminals will surely find a way to exploit it. So, the more we rely on Bluetooth, the more it becomes fraught with cybercrime potential.

Attacks like BlueJacking (wherein Bluetooth-enabled devices are hijacked to send spammy messages), BlueSnarfing (where Bluetooth is used to steal data from a Bluetooth-enabled device); or simply eavesdropping on a conversation taking place over a Bluetooth headset can be disastrous for any organisation.

So always switch Bluetooth off when you’re not explicitly using it. Never be tempted to switch it on in a busy, public place, especially on devices with sensitive data. It’s not just audiophiles that lament the retirement of the headphone jack – it’s us security bods too!

Beware of Random Apps – Even on Legit App Stores!

Naturally, the security community will advise against installing mobile apps manually (such as installing random .apk’s on an Android device) and ask you to only use apps that are available through your device’s app store. However, even this may not be as secure as you’d think.

Naturally, the security community will advise against installing mobile apps manually (such as installing random .apk’s on an Android device) and ask you to only use apps that are available through your device’s app store. However, even this may not be as secure as you’d think.

In spring 2022, Google removed dozens of apps from their Play Store – and from user devices – after they found that these apps were hoovering up user data, directly contravening Google’s developer terms. There was a similar incident in 2019 when the Big G removed thousands of apps for many of the same reasons.

However, it’s not just the apps themselves you need to be careful of. Ads in apps are sometimes sneakily designed with fake exit buttons, fake “update now” options, and annoying notifications, all designed to confuse.

So, what’s a mobile security savvy device user to do? This is what we suggest:

  • Only install the bare minimum apps needed, directly from the device’s app store.
  • Only log in to the bare minimum accounts needed for each mobile device.
  • Keep Bluetooth, location data, WiFi, and mobile internet off when not in use.
  • Save personal apps for your personal devices – Google recently removed weather apps, religious/prayer apps, and speed camera detection apps from their library following data collection concerns.
  • Avoid using apps with ads for professional purposes.

Don’t Assume Password Protected Public WiFi is Secure

Nowadays, we’re all aware of the dangers of using open WiFi networks with no password to keep baddies at bay. Most locales like coffee shops and hotels have caught up, providing password-protected WiFi access. But how secure is that password if it’s printed on menus, advertised on sandwich boards, or made available to anyone who has ever visited the business?

The answer is: not very. Even if the hacker has to enter the premises to pick up the WiFi password, this still grants them the same access they would enjoy if the network was open. If you’re a hospitality venue reading this: don’t publish your WiFi credentials for all to see!

Hackers with the right access and know-how can potentially snoop on the network activity of other users and inject malicious code. Or they can set up an “evil twin” network access point – a seemingly exact replica of the establishment’s WiFi that’s designed to fool people into connecting to it – only to harvest any sensitive data that flows through.

Some confident criminals may simply “shoulder surf” – peering over your shoulder to see if they can gather any sensitive info from your screen or intercept any passwords typed in.

To avoid snooping in public, simply turn off WiFi when you’re not using it and make sure “public sharing” is off when you do. If you’re in a coffee shop doing something that doesn’t need internet access, don’t enable it. Don’t interact with anything sensitive like emails on public WiFi without a VPN. And never do anything financial over a public network!

Related Reading: 7 Enterprise Wi-Fi Risks You Need to Know About Today

Biometrics Are Great… Until They’re Not

Most smartphones and a good many laptops nowadays come preloaded with some kind of biometric authentication capability. This is great – biometrics are far more secure than passwords. Rather than using a forgettable or phishable password, a simple fingerprint or retina scan can provide unparalleled authentication clout.

However, don’t be tempted to throw your hat in the ring with just any biometric authentication offering or supplier. Just as hackers go on the lookout for passwords now, there’s a strong possibility that they’re also on the hunt for biometric authentication data too. A phished password is a pain but it can be changed. A fingerprint can’t.

This isn’t the only concern with biometrics. At present, facial recognition technologies have a massive racial bias, with an MIT study finding that facial recognition tools performed over 40% worse on darker skinned women than white men. For the time being, our advice is to use a reliable biometric authentication system (we like Microsoft Hello) and use non-facial biometrics as part of a robust cocktail of multi-factor and passwordless authentication measures.

Good Offline Policies Minimise Online Risks

The best security starts offline, with cautious, well-thought-out policies. Yes, policies surrounding static devices, internet usage, passwords, and physical access security are essential, but don’t forget mobile security policies too!

Set concrete rules around what is allowed when using employee-owned devices (“BYOD”) and COPE (company-owned, personally enabled) devices. Understand the risks of shadow IT and insider threats and establish robust, proactive policies. Also, make sure any documented data leak prevention policies are singing from the same song sheet as your firewalls and IPSs.

But don’t forget the cultural aspect of setting policies, either. If your policies are fair and your team believes in the good that those policies bring about, they’re more likely to abide by them. However, if the team sees the policies as draconian decrees boomed down from on high, they’re likely to be a bit more cynical. Present policy changes as a dialogue and back up your policy decisions with sound reasoning.

Part of this is instigating a blame-free culture around cyber infractions. Nobody wants to be raked over the coals for making a silly mistake, and doing so instils a culture of blame and fear. In turn, this dissuades people from coming forward and owning up to their own cyber mistakes.

Seek to create a culture centred towards transparency and openness. Towards owning up to and learning from mistakes. So, when someone does inevitably make a cyber mistake, they’re more inclined to report it to management immediately so rapid action can be taken. Much more favourable than keeping it hush-hush and letting the hackers win!

When it comes to mobile security, don’t phone it in – speak to one of our experts about your cyber, network, or mobile security concerns today!