Recently Apple and the US government had a very public showdown over hacking an iPhone for a legal case. This brought a lot of attention to the subject of mobile encryption and securing data but many still do not understand how it works or what it even means. Every small business wants to make sure confidential information and email is not leaked but simply setting a PIN code and thinking you are done will not be enough. When talking mobile you need to think of your laptop and any other Internet connected devices as well. Are you using coffee shop or airplane WiFi? If yes, you need to keep reading.
The bad people out there want your data. Today, all data has a cash value. It used to be that hackers made viruses to destroy data and simply be jerks. Now they have realized they can make a living with the trade and created cryptolocker, crytowall exploits, and software vulnerabilities to grab massive amounts of company data. On the physical level, social engineers will head into offices and swipe cell phones or thumb drives from desks to later dig through for emails and valuable files.
Right now think about how many Internet enabled devices your business data is on; email, contacts, client socials, marketing resources, schematics…. Now think about how many different Internet connections are used by those devices as well as how many places you use them at within even just one week. That’s your attack landscape.
Let’s Get Physical
The Internet is super scary, powerful, and helpful all at the same time. But first, let’s start at the much simpler layer of mobile security. The physical access to devices is equally important to how the data is accessed. Your computer, cell phone, and storage devices like external hard drives and thumb drives will get lost, stolen, or accessed by someone else at some point. It happens. It’s life.
Luckily, policies can be enforced for both cell phone and laptops to set and require security measures for securing data. For cell phones, Mobile Device Management (MDM) is used to make sure that lock screens, device encryption, and many other features are required and turned on. This makes sure that when the phone ends up in someone else’s hands, the data is not accessible.
Laptops are the same. With domain Group Policies, only authorized users can login to the computer and data can be forced to be encrypted at rest (BitLocker). If your small business does not have a domain environment and you don’t know what this is, it’s very likely you have at least one employee who has files sitting wide open on their desktop with no password required to login. Bad folks can take the drive out and get all of the data. Change that now.
Lastly, do not leave post-it notes with passwords on them attached to your monitor or laptop. There are plenty of great password manager applications that can help you with managing the many logins. You just need to know the ones for your phone and logging into your computer.
I have already discussed the need to have a PIN on your phone but it is also important to make sure the data stored on the device itself, sent to and from the device, and synced elsewhere (iCloud, Dropbox, OneDrive, etc) is encrypted and secure.
All of the smart phone platforms out there now support device encryption. Since iOS 8, the data “at rest” on the iPhone has been encrypted meaning someone can’t just pick up the phone and plug it in or use other data stealing tactics to copy the files.
On the Android side, device encryption has been an option since 2011. However, it was only made the default choice for devices since Android 5.0 (Lollipop). The great thing about device encryption is that there is nothing you really have to do for it to be working. Once enabled, the data is snug and secure so long as there is a lock on the device.
While that takes care of the physical phone itself, what about all the new backup methods used? The iPhone loves to backup to iCloud and when plugged into a computer, iTunes will backup. Android syncs with Google services like Photos and Drive. Both platforms allow you to sync to Dropbox, Onedrive, and many other file sharing services.
Many of the iTunes backups of iPhones aren’t set to be encrypted by default. Hackers have been able to steal personal and business data from the backups stored on computers even if they were password protected by pulling the hard drives and plugging them into another computer.
Most of the free file sharing and backup services out there advertise that your backups are encrypted and to rest easy. However, they neglect to tell you that the key to the encryption is the same key used to access everyone’s backups. It’s the key to the castle so to speak. Hackers just need to get access to one key and everyone’s data is then vulnerable.
The method to secure these mobile devices is to require access security (lock screen pass codes, fingerprints), enforce device encryption, and do not allow insecure backup and sync methods.
Laptops and Web Traffic
When not in the office or at home you are still going to need Internet access. Everyone has used Starbucks, hotel, airport/airplane, library, and other various public or guest WiFi. In a pinch it is certainly convenient. However, the connections are anything but secure. Trusting all WiFi connections to be secure is like trusting your IT techs to be able to fix a broken leg. In a pinch (zombie apocalypse) the tech has likely seen enough Walking Dead to be able to make something happen. But on a normal day, let’s go with something/someone you can trust.
The recent improvements to in flight WiFi have provided much better speeds and stability. Heck, I was able to work all through a recent flight to San Francisco without any issue for about $10. However, I made sure to use a company VPN connection. This made sure that all the data in and out of my computer was sent through an encrypted connection only visible by my computer and the other end. Without a VPN, it can be possible for other people on the flight or the WiFi provider themselves to see and snoop your data. Take this example from reporter Steven Petrow of USA Today who was writing a story while in flight only to be confronted by someone else reading his info.
Our laptops, phones, and even other web enabled devices support VPN connections. Visiting a website with SSL (HTTPS) isn’t enough to protect the usernames and passwords you send to the site from being “snooped” before they leave the airplane. Only using a proper VPN connection will make sure the channel is secure end-to-end.
Make sure all of your staff are using the company VPN by restricting access to important tasks unless being accessed over the VPN. If a VPN is not an option, staff should be using their own private hotspot or cell phone data connection for securing data.
Some WiFi connections block VPN access for the very reason that the traffic cannot be snooped on. This can be for not so nefarious reasons. For instance, if a coffee shop is providing free WiFi to anyone who comes in the door, they may want to block illegal or inappropriate activity (your business should do this too). Using a VPN connection could bypass these filters so they may choose to simply block all VPN access. In that case, staff can use their mobile hotspots or cell data.
As you can likely tell, there are a lot of different security concerns surrounding the plethora of new ways to access and store data. By setting up policies and procedures for the various devices and tasks you can ensure best steps are being taken for securing your company and confidential data. If you do not have any of these systems in place already, hopefully you can take some of the ideas above and start implementing them now. If you need a bit of guidance or a partner to help review and implement, the team at BCC is able to help. Give me a call and we can review.