According to a Pew Research report published in 2019, 96 percent of Americans "own a cell phone of some kind." So it stands to reason that your employees have conducted business for your company on their phones. Phones can be vulnerable to hacking, which makes cell phone cybersecurity worth considering.
People often become lax when it comes to cell phone cybersecurity. They may not think about how they have a minicomputer full of sensitive data on their person.
Mobile phone hacks have made headlines. Jeff Bezos’s phone was reportedly hacked when the president of Amazon clicked a video in a popular app. Likewise, the Twitter account of the company’s CEO, Jack Dorsey, was compromised. The hackers SIM-swapped Dorsey’s phone (that is, they took over his number) to gain control of his account.
Cell Phone Hacking on the Rise
“SIM-swapping is growing in frequency,” says Stephen Hyduchak, CEO of Aver, an identity-verification service. “Fraudsters call your cell phone provider and social engineer the representative to trick them into thinking it’s you. Then they import your number in a new SIM to a burner phone. This allows them access to your email and accounts.”
The 2019 Data Breach Investigations Report by Verizon noted that “research points to users being significantly more susceptible to social attacks they receive on mobile devices. This is the case for email-based spear phishing, spoofing attacks that attempt to mimic legitimate webpages, as well as attacks via social media.”
Conducted from November 2017 to October 2018, the Data Breach Investigations Report analyzed breach incidents converted into the VERIS framework. The study found various reasons for cell phone vulnerability. These include the fact that “mobile devices have relatively limited screen sizes that restrict what can be accessed and viewed clearly. Mobile OS and apps also restrict the availability of information often necessary for verifying whether an email or webpage is fraudulent.”
Cell Phones Riskier Than Computers
Users often erroneously think that cell phones are just as safe as computers, believes Rick Ferreira, owner of KMF Technologies, a network consulting company specializing in data retention and security.
Inform your employees that phishing is also an issue on mobile devices... Advise they don’t open random links in emails or texts from financial, retail [or] business contacts.
—Zach Ferres, CEO, Coplex
“Consider the fact that users generally don’t proactively set up their phones the same way as their computers. Antivirus/firewall isn’t typically installed,” says Ferreira. “Security measures from application software providers have also not kept pace with security.”
It is common for cell phones to be used for a wide variety of business tasks, including booking travel.
“Travel itineraries of high-level executives are considered sensitive, but their mobile devices are always with them, frequently sharing their locations, collecting their contact information, and perhaps most concerning, sharing information via cameras and microphones,” says Ted Wagner, vice-president and chief information security officer at SAP NS2, which provides cybersecurity and secure cloud solutions.
"BYOD" and Cell Phone Cybersecurity
“The challenge for businesses is the BYOD (bring your own device) culture of the modern workplace,” says Ferres. “This policy leaves company networks vulnerable to the poor digital security practices of individual employees. It’s important to remember that insecure devices connected to a secure network bring their insecurities with them, making the entire network vulnerable.”
For people who handle sensitive company information, a BYOD policy is probably not the best approach, believes Ferres.
“It might be necessary for such employees to have a separate company phone with IT enforced securities installed," he advises. "These devices should only be used for business purposes and never connected to public WIFI.”
Recommended Cell Phone Cybersecurity Measures
Keeping your company data and employees as protected as possible takes changing mindsets about mobile phones.
“The truth is any device connected to the internet is vulnerable to attack," says Ferreira. "It’s important to take all necessary steps to keep information safe.”
Consider training your employees in the following cell phone cybersecurity protocols.
1. Ensure phones are locked.
“Enabling strong passcodes or using the biometrics—face or fingerprint—features on newer devices can ensure that if you or your employees lose phones, all the personal and professional data is locked down,” says Ferris.
2. Avoid public WIFI.
“Public connections are not secure. All the information transmitted is accessible by anyone else connected to the network,” says Ferres. “If you or employees need to work from a public space, consider using a VPN instead.” (A VPN, or a virtual private network, uses public networks to connect remote users to a private one, usually the company's own network.)
3. Train employees regarding phishing scams and spam.
“Inform your employees that phishing is also an issue on mobile devices,” says Ferres. “Instruct them to be mindful about mobile phone cybersecurity. Advise they don’t open random links in emails or texts from financial, retail [or] business contacts. Have them instead go directly to the website and sign in there.”
4. Require two-factor authentication and strong password guidelines.
“Instruct employees not to reuse passwords over multiple accounts,” says Ferres. “Require messaging encryption, anti-virus software and even restrict what websites and apps can be used while connected to the secured company network.”
5. Consider using one type of mobile device and manage it centrally.
“Having employees use one type of mobile device can allow for tight control, down to managing the apps available on the mobile device,” says Wagner.
“This mobile phone cybersecurity solution forces employees to only use their corporate mobile device for corporate functions,” continues Wagner. “Or consider technical solutions that enable separating personal functionality and corporate functionality on the same mobile device.”
6. Use a mobile device manager.
“Many organizations use mobile device managers to protect cell phone data,” says Wagner. “Some require applying Conditional Access Policies (CAP), which can be cumbersome to implement.”
There are also cloud-based security systems to enhance cell phone cybersecurity, notes Ferreira.
“Such technology allows access to company data within employee phones that can be eliminated when necessary without needing to wipe the phones.”
Read more articles on mobile.
Photo: Getty Images