MOST know that data security is something that cannot be ignored. Ring a bank, shop or utility company and while the security procedures can cause consternation and irritation, they are there for a good reason: the protection of personal information.
The brouhaha in September over the hacking of Apple iCloud accounts used by a number of celebrities and the subsequent posting of their “private” images onto the web is a perfect example of what can happen when security is breached. The hacking gave the case for security a much-needed boost. But moving the debate on, how many, both privately and in business, secure their portable devices such as tablets or smartphones? According to UK mobile phone comparison site, Tigermobiles.com, in a report published at the end of July, it’s shockingly low at 35%. Further, the site’s research found that 8% of people had lost or had a phone stolen in the previous 12 months and only 7% of respondents had a phone-tracking app installed.
Where business and personal information is involved, users not protecting their devices are sleepwalking into loss, bad publicity and quite possibly a fine from the Information Commissioners Office (ICO).
A legal perspective
The problem is exacerbated because of a “bring your own device” (BYOD) policy that many employers utilise. These employers have recognised the benefits of allowing staff to use their own devices such as laptops, tablets, and smartphones for work purposes.
Clearly there are benefits for all. Employers have to invest less in equipment knowing that employees tend to be more careful with items they own. Additionally, employees become more accessible to the firm.
Employees are happier because they only have to carry one device and it will be something of their choosing. However, this extends the risk that data security can be compromised and business information can be lost.
The law is emphatic. Employers must ensure they comply with the Data Protection Act 1998 (DPA) at all times and adopt suitable measures to keep data secure by preventing unauthorised use or loss of personal data.
Because allowing employees to use their own devices means data are transferred between the device and company systems, firms should ensure their IT is protected from unlawful interception of data being transferred and ensure up to date security is in place.
Technology and software now permits lost or compromised devices to be remotely wiped. However, while this is technically possible at the press of a button, as the device is privately owned and contains personal information, employers cannot ride roughshod and wipe at will; they need to have written and explicit consent from employees to allow this.
At the same time, since devices co-host personal and business material, employers who want to monitor usage need to have a clear policy on this which employees must agree to while minimising company access to personal information on private devices.
Businesses should be aware of issues relating to software licensing. In the same way that employers are vicariously liable for the actions of their employees, so they should consider the risk that they might become liable for employee use of illegal or pirated software used for work purposes on their device.
Another problem area to consider arises where employees mistakenly use a personal e-mail for work e-mails or where appropriate footers and legal disclaimers are not included.
And, of course, the rapid rise of social media and the use of personal devices by employees for work has limited employers’ ability to place restrictions on access to social media websites. So alongside any policy for BYOD, firms should also implement a social media policy and ensure clear provision is made for what access is permitted during working hours as well as the employers’ expected standards of behaviour.
As an aid, the ICO has a downloadable guide on the subject of BYOD at http://bit.ly/Z6MjDd.
Be practical
With the law laid out, what can firms and individuals do, practically speaking, to protect devices and the data held?
Passwords
The first, and most obvious step, is to use a password to lock the device down. Clearly, the password shouldn’t be obvious or one that is commonly used. A January 2014 survey on Networkworld.com (http://bit.ly/WaE9bj) detailed the worst passwords of 2013 which included “123456”, “abc123”, “000000” and even “password”.
The advice from security software firm Splashdata is to use passwords of eight characters or more with mixed types of characters. However, the firm says even passwords with common substitutions like “dr4mat1c” can be vulnerable to attackers’ increasingly sophisticated technology, and random combinations like “j%7K&yPx$” can be difficult to remember.
Splashdata suggests the use of passphrases: short words with spaces or other characters separating them. It’s best to use random words rather than common phrases. For example, “cakesyearsbirthday” or “smiles_light_ skip?”
By extension, it makes sense to not use the same username and password combinations on more than one device.
Those with devices such as the iPhone 5S or the Galaxy 5 that feature biometric (finger print) passcodes should enable them. While they have been beaten, it takes a lot of effort and almost laboratory conditions to succeed.
Users should also remember to set a PIN for SIMs in their device, phone or tablet. When a device is unlocked, the SIM is vulnerable and an abuser can rack up a huge bill.
Another precaution would be to note the device’s IMEI number (dial *#06#); in the case of loss the mobile network can bar it from further use. Another option allows owners to register their devices with Immobilise, a free service from the National Mobile Phone Crime Unit, so that devices stolen and recovered can be reunited with their owner. See http://bit.ly/WaINpl.
Lock screens
Tablets and smartphones are designed to propagate information easily and with notifications on the lock screen they can do so to prying eyes. Incoming messages and e-mail, a boarding card with bar code and search applications can pass information to the unauthorised with ease.
The only answer is be cautious about what the device is allowed to display or grant access to when locked. Even better, turn the options off. In Android this means going to settings > security > group lock screen > deselect options. IOS users need to go to settings > notifications > and then turn off risky applications. They also need to go to settings > passcode > and turn off applications such as Siri.
Layer up
Apple, Google and services such as Dropbox, Facebook and Twitter now offer “two-step verification” for online accounts. While passwords prove that the user knows a key piece of information and biometrics prove a user is a given individual, adding two- step verification adds another layer – another piece of required information – to the process.
Those wanting to enable this need to visit for Apple, for Google, for Dropbox, http://on.fb.me/JnsD61 for Facebook and for Twitter. For other applications the process is an online search away.
Be flappy
It’s not just accidents that can cause data breaches. Device users need to be aware of malware – apps that can be innocently installed purporting to be worthwhile but which in reality are fronts for malicious developers.
Apple’s OCD level of control makes its ecosystem more secure, but not invulnerable. Part of the vulnerability comes from users who want to “jailbreak” their iDevice because they want more freedom in how they use it – they like the device but dislike Apple’s controls.
What this means is Apple’s security system becomes compromised and further, users are then able to install apps that have not been vetted for malware. The same principle applies to the Android world – it’s just called “rooting” instead.
For those not jailbreaking or rooting, care still needs to be taken. In 2013 researchers from the Georgia Institute of Technology created a malicious proof of concept app that bypassed Apple’s security and made it into the App Store. Dubbed a “Jekyll App” it was one of a number of apps that looked benign at first blush but underneath contained a hidden code that could send unauthorised texts and e-mail, post Tweets, use the camera, dial without permission, use Bluetooth and steal device information. Google’s Android has suffered from this too.
Android, in comparison, is a more open system that is tinkered with by manufacturers and others and is said to be more vulnerable to attack. At the end of July 2014, a report on PCWorld.com detailed how “critical Android vulnerability lets malware compromise most devices and apps”.
The solution is, as the ICO puts it, to only download apps from official and trusted app stores and to be extremely careful of using untrusted sources. Importantly, only download and use apps that have a genuine purpose.
It also makes sense to read the information available about an app in the app store, including reviews, before it is downloaded, while also checking the personal information it will be using. Allied to this, the industry suggests deleting apps that aren’t used.
Users shouldn’t rely on app deletion to remove personal information when disposing of a device. Instead, the advice is to seek out and use the “factory restore” option to completely wipe the device.
As we’ve seen earlier, few plan for the worst by installing apps such as Find My iPhone, BlackBerry Protect, Android Device Manager or Windows Find My Phone. These apps allow a device to tracked or wiped remotely if lost. While this is a doomsday workaround, at least private data can be deleted, hopefully before it’s abused.
Lastly, and critically, users must get into the habit of installing the latest operating system update from their manufacturer (and also from app developers). As well as typically offering new features and improving performance, they can also x security vulnerabilities. IOS 7.1.2, for example, addressed issues related to a lock screen bug which could allow unauthorised access to some apps installed on a device.
To conclude…
Smartphone and tablet security is not just for an IT department, it’s a concern for users too. There’s nothing to be concerned about and certainly there’s nothing beyond the abilities of most users – security just needs a little thought and proactive implementation.