How Secure is Your Mobile Phone Data?

Modern communications devices, such as smart phones and tablet computers, have made the mobile workforce a reality in the last few years. The travelling salesman of old used to fax his sales numbers to head office once a week; now he can upload that data straight to the company server, in real time. The mobile executives who used to have to phone in for daily reports can now pull that information straight from the company extranet, whether they are at home or in another country. And everything, from financial reports to confidential salary information, is sent via email to the directors, who receive it on their mobile phones.

Information is more accessible than ever before, and in the modern economy, information is power. It’s what gives one company a competitive advantage over another. The pace of business, and of life in general, is accelerating rapidly, and being able to access the right information, on demand, from anywhere in the world, enables us to compete and to stay relevant in this modern economy. However, while enhanced mobility has tremendous benefits, it also presents a number of new challenges to the IT security professional.

For many years, IT security was focussed largely on perimeter security, which was enforced by the corporate firewalls. These devices provided a physical barrier between the company network and the outside world. Wireless networking complicated matters to some extent, by extending the boundaries of the company network beyond the walls of the corporate office, but that could be managed with suitable encryption and authentication. Provided the physical location was well secured and provided you had a decent firewall in place, you probably had a fighting chance at protecting your data from threats outside the network.

Things have changed, however. While it’s still imperative to have good perimeter security in place, mobile computing introduces new challenges which have to be dealt with in different ways. That is because it takes the company data off of the servers, which are locked away in secure environments, and on to these tiny mobile devices, which travel wherever the users go. Now the directors’ email, which typically includes some of the most sensitive information on the corporate network, can be found lying around in coffee shops and restaurants, at conference centers and at homes – all packaged in an easy-to-lose mobile phone or tablet.

So, why is this a problem now? We’ve been travelling with notebook computers for years, right? Well, until recently, the mobile worker was restricted to a notebook device, which was controlled by the company’s security policies. It typically ran some version of the Microsoft Windows Operating System, which was hooked into the company domain. This meant that it was subject to the corporate domain policies, which would enforce the standard password complexity requirements, etc. In addition, the notebook hard drive would be encrypted. So, in the event of the notebook device being lost or stolen, the data on the hard drive would be secure.

However, the new generation of mobile devices seldom have the same security controls. Many mobile phone users don’t use a password at all; those that do so tend to use a basic 4-digit PIN which provides minimal security. And many of these devices aren’t encrypted, so anyone can access the data on the device by hooking it up to a computer. This means that some of the most sensitive information on the network can be accessed by anyone who gets his hands on the right mobile phone.

So what can be done about this? Well, it’s clear that the corporate security policy needs to be extended to cover mobile phones. Password complexity requirements must be applied, data must be encrypted, remote wipe features must be enabled, etc. There are a variety of products available that address these needs, to varying degrees. Your IT Support provider should be able to guide you in this regard. If your company doesn’t enforce mobile security, it’s up to you to do so, on your own mobile device. Here are some tips for securing your smart phone or tablet:

1. Choose the right device. Some phones can be secured more effectively than others – for example, the BlackBerry range as well as the Apple iPhone and iPad both support data encryption by default, whereas many other mobile devices do not.
2. Use a strong password (a combination of upper-case and lowercase characters, along with numbers and special characters, is recommended).
3. Set your device to auto-lock after a short interval, and make a habit of locking it whenever you put it down.
4. Enable auto-wipe if an incorrect password is entered a certain number of times. On the Apple iPhone and iPad, for example, there is an option for the device to auto-wipe after 10 incorrect password entries.
5. If you use your mobile device for connecting to the corporate network via VPN, set it to not remember your passwords. Do the same for any web sites that you log on to.
6. Lastly, install some kind of remote wipe software on your device, so that you can remotely delete your data if the device is lost. The BlackBerry Enterprise Server (BES), Apple’s MobileMe and Microsoft Exchange all offer remote wipe functionality, for example.

IT security is evolving daily, and new technologies will certainly be introduced to curb the threats inherent in mobile computing, but one thing is clear: data security is no longer the concern of the IT professional alone. Each and every user on the network has to be responsible for the devices he or she uses, as well as for the data on those devices. Applying the policies mentioned above to your mobile device will go a long way toward protecting your sensitive data.