Joe Stangarone, writer, MRCs Cup of Joe Blog, September 9, 2014
Summary: Users have notoriously bad security habits. The problem is, many of these users are now bringing their personal devices–and their poor security habits–into the workplace. Learn how these users can better protect themselves (and your data) with these simple tips.
Every time a list of user passwords gets leaked, we’re reminded of one scary fact: Users have horrible security habits. For example, can you guess the most popular password in 2013?
But wait, it gets worse. The next two most popular passwords: “password” and “12345678.” Yes, user security habits are that bad. Why is this becoming such a problem?
Well, these users–the same ones who feel that “123456” is a good password–are now bringing their personal devices into the workplace. Many even use their personal devices for work-related tasks.
Along with these devices, what else do they bring to your business? Their poor security habits. What happens if they store sensitive data on their devices? What happens if they use unauthorized devices for business? Without proper security habits, this could cause problems for your company. These problems could range from minor inconveniences to major security breaches.
So, how can users improve their security habits, and better protect your company data? As this is such a broad topic, we split it into two articles. In the first article, we outlined 7 important security tips for users. Today, let’s explore 7 more advanced (but still important) security tips that will help protect users and your company data.
1. Encrypt your data
Here’s a great question to ask: What happens WHEN you lose your mobile device? As mentioned in the first article, password protecting your phone is the first line of defense.
But, what happens if an attacker manages to access your device’s memory or SD card? If left unencrypted, your data is free for the taking.
“I’d recommend smartphone users encrypt their data; Android has this by default and you can choose to do the entire phone or just what is stored on an external SD card,” says Brandon Ackroyd, Head of Customer Insight atTigerMobiles.com. “The data is scrambled and only if the right password is entered is it decrypted. Apple allow this too, and emails, texts etc are already encrypted if you have a passcode switched on. You can take it a step further and encrypt the entire phone with use of a third party app.”
2. Back up your data
Most people don’t think about data backups until they need it–when they’ve lost their device or their data. But by then, it’s already too late. Any data that’s only stored on the device itself is at risk if not backed up.
“NQ Mobile’s survey showed that the number one thing that frightened people when it came to the valuable data on their phones was losing their contacts – yes, even more than having their photos or videos get posted publicly,” says Gavin Kim, President, International and Chief Commercial Officer of NQ Mobile. “And similar to locking your phone, this is an easy problem to fix. If your device doesn’t come with backup capabilities, download a backup app from a reputable app store or your wireless carrier. This way, if the worst happens, this is one less thing to worry about.”
3. Watch for Vishing and Smishing
By now, most people are familiar with “phishing” scams. Would-be attackers send fake emails hoping to trick their suspects into sharing personal data. While most consumers know not to click on questionable email links, we must now protect ourselves against similar threats: Vishing and Smishing.
“While basically no one falls for email phishing schemes, we all let our guard down when it comes to text messages and phone calls,” says Kim. “And scammers have taken note, responding with vishing (voice phishing) and smishing (SMS Phishing) schemes. Common cons include bogus websites that target travelers through enticing offers for events and attractions and even fake phone calls from your bank where the faux representative collects personal information then uses that to wreak havoc on your financial well-being. Combat these threats by treating your smartphone as you would your computer – don’t open questionable links, verify the url you go to is the url that you think, let poor grammar and misspellings be red flags, and don’t respond to unsolicited requests for personal information no matter what the Caller ID or email address shows.”
4. Double Check the URL field
URL redirects are a common tool for attackers. They display a seemingly harmless URL, which redirects you to a different site once selected. While easily detected on a PC, the small screen size of a mobile device make them prime targets.
“Be sure that the mobile site you are on is in fact the correct mobile site,” says Steve Pao, GM of Security Business at Barracuda. “Mobile phone internet browsers do not display the entirety of the URL, leading users to believe that the first snippet of the URL is taking them to the correct landing page. This isn’t always the case. Targeted spear phishing attacks that look like legit social sites can ask you to enter your user name and passwords as if you were logged out, and now have your sign on information.
Mobile users are often times multi-tasking with their phones in one hand and doing something else with their other, not paying attention to what’s going on on screen. In turn, people accidentally click through an in-app purchase or click on a ads that could take them to a compromised site. Best thing is to pay attention to what it is that you do on your phones. Mobile malware is picking up traction and is becoming more advanced. Don’t think because you are on your phone that you are invincible. Proceed with caution.”
5. Understand where your data lives
As cloud-based storage services become integrated into mobile devices, we face a problem. More and more, users don’t know where their data lives. Many unwittingly place sensitive data on the cloud, thinking it’s only stored on their device. Are they storing sensitive corporate data in an insecure cloud service? Does that service meet business security requirements?
“It is important for business users to understand where and how their data is being stored,” says Paul Hill, consultant with SystemExperts. “It is important for a business to be able to respond to e-Discovery requests, be able to ensure data is properly retained and destroyed when appropriate, and ensure proper access controls are applied. Many applications are now integrated with a variety of consumer-grade cloud storage services that may not meet all business requirements. It can be difficult for some users to understand where data is being stored, and what data may be available to third parties. If the business doesn’t provide a list of approved software and services, users should consult with their managers or their IT department to learn about the risks and make an informed decision.”
6. Use different passwords across sites
While more of a general security tip, it’s one that you can’t ignore: Avoid universal passwords. Your password must vary from service to service. Why? Well, what happens if hackers access your email password? Can they use that same password for your bank account? How about your social sites? Using different passwords limits your risk in the event of a data breach.
“If you’re using cloud backup services – use different passwords rather than having one universal password that you use for everything,” says Ackroyd. “If hackers or an unscrupulous individual get a password for one service, then they’re going to use it to try access others too.”
7. Use restrictive browser and app settings
Sometimes malware or spyware takes advantage of common browser holes to work their way into your device. If using your device for sensitive business tasks, enable the highest security setting possible. It may limit your abilities, but will help protect you against malware that relies on lax browser settings.
“Use the most restrictive of your phone’s settings for apps and Internet access,” says Kevin D. Murray – CPP, CISM, Director of Murray Associates. “Some phones will even flag the activity and warn you if the program tries to do more than it has been given permission to do.”
Founded in 1994, SystemExperts is a premier boutique provider of IT compliance and cyber security consulting services. We help clients see the big picture and design solutions to meet their comprehensive security needs. We are dedicated to providing unmatched personal attention, distilling problems to their root causes and recommending what’s appropriate for our clients. We have built our reputation on providing practical, effective IT security solutions for securing enterprise computing infrastructures.