Your mobile phone and those of your employees are probably considered essential business tools. Are you taking adequate precautions to keep safe the data they contain?
There are two aspects to keeping data safe. One is making sure it's available when you need it, the other is to ensure the wrong people don't have access to it.
Where important data is stored on the phone and is not synced to a cloud application, backup should be considered essential. Some kind of automatic cloud backup is certainly the most convenient, but unless the data is kept in an encrypted form it might be preferable to back up to a private device, perhaps something like the SanDisk Connect Wireless Stick.
But how do you secure the data against intruders? There are two separate aspects: first, we'll look avoiding malware that can steal data from a device.
The most common and most basic tip is to download apps only from a legitimate app store. For iPhone users, that means Apple's App Store. For Android, that's Google Play and perhaps the stores operated by phone vendors such as Samsung.
It's not that these stores are 100 percent guaranteed malware free, but these companies do take significant measures to keep malware away from their virtual shelves. Other sources, especially the shadier kind, aren't so fussy and the Bad Guys take advantage of that.
If the App Store is your only source of iOS apps, there's no reason to jailbreak your phone. Similarly, leaving the 'Unknown sources' option disabled is a basic precaution for an Android phone - and unless you know what you're doing, rooting it is probably not a good idea.
Mobile security software is controversial in some quarters, but there seems to be a growing feeling that it is advisable for Android devices, largely because it's relatively easy to load apps from places other than Google Play. But Sean Richmond, senior technology consultant at Sophos, pointed out that Google's checking mechanisms are applied after an app is available, not before (as is the case with the App Store). But then the XCodeGhost malware aimed at iOS developers resulted in at least several dozen malicious applications reaching the App Store.
Richmond identified three main classes of malware that go after the data stored on a phone.
Mobile ransomware makes it impossible to use the phone normally until a ransom is paid. The problem here is not that it steals data, rather it makes the data inaccessible to the phone's legitimate user.
Another category does steal the data - anything from the contacts list to "everything that lies in the user space" (ie, all the user's data). Contact lists are valuable as they provide a way of tricking people into giving up information - people are more likely to respond to requests that appear to come from someone they know. And the more data someone has about you, the more likely identity theft becomes.
Then there is banking malware that can capture transaction confirmation codes received from the bank by SMS and forwards them to the criminals behind the scam without the user ever seeing them. Combined with malware that captures login credentials, this allows them to make fraudulent transactions.
There are plenty of other types of malware, including those that surreptitiously access premium SMS services, act as listening devices, and so on. But that's another story.
AV-Comparatives' most recent (August 2015) review of mobile security products (PDF) gave the highest malware protection ratings to Trend Micro, Bitdefender, G Data and Antiy. All four detected 100 percent of the 2,365 pieces of malware in the test set, but Bitdefender and G Data raised three false alarms for known-safe apps from Google Play, and Antiy generated five false alarms.
Products from CM Security, CleanMaster, ESET, Tencent, AhnLab, Avira, and Avast provided 99.9% protection. Symantec's Norton product was notably absent from AV-Comparatives' review.
We believe phishing protection (to reinforce whatever measures are taken by your email server) is another important function of a good security product. Emails that try to trick you into visiting a fake site and entering the username and password that you use with the real service (Gmail, Facebook, etc) are all too common.
Interestingly, AC-Comparatives suggests "In western countries, assuming you stick to official app stores and don't root your phone, the risk is currently relatively low, in our opinion. However, we must point out that 'low risk' is not the same as 'no risk'. In addition, the threat situation can change quickly and dramatically. It is better to be ready for this, and to install security software on your smartphone. Currently, we would say that protection against data loss in the event of the phone being lost or stolen is more important than malware protection."
Lost or stolen phones
Capabilities to protect lost or stolen phones include remote wipe (so data can be removed from a missing phone) and a location feature (the phone's most recent position is displayed on a map). If the phone has been found by a well-meaning person, the ability to display a "lost - please contact..." message on the screen may speed its recovery.
The report does not summarise the products' performance in these other aspects of security, so study the reports on the products that you're considering - but don't forget that there are others on the market.
Remember that you also should be concerned about your employees' mobile phones if they use them for work purposes. If you're not paying for those phones you're not really in a position to insist on what software is or isn't installed on them, and the mobile device management software (MDM) that can help enforce such rules isn't designed for the small businesses that BIT is aimed at. The idea underlying MDM with BYO phones is "it's up to you what you do with your phone, but unless you follow our policies we'll prevent you using the company network, email and other accounts, contacts list, and so on." It is also very useful for managing a fleet of company-owned phones.
There's also Mobile Content Management software, which puts business apps and their associated data into a secure 'container' that is not accessible to other applications. This has the dual advantage of helping to protect them from malware and providing an extra layer of security that makes it harder for people that gain access to the device - whether that's your employee's child who has been given the phone as an electronic babysitter while they're sitting in a supermarket trolley, or a thief set on corporate espionage. Again, this type of software generally isn't aimed at the smallest businesses.
What you can - and arguably should - do is make it clear that you expect as a minimum that employee will follow basic security guidelines, including locking their phones, using a passphrase rather than a short PIN, running security software (which you would presumably pay for), and perhaps using whatever measures are available to encrypt the data on the phone.
Other measures, for your phone and theirs, include keeping the operating system and apps up to date, and avoiding apps that require excessive permissions (eg, why would a movie player need to send SMSes or access the contacts list?).
These tips may not turn your phone into an electronic Fort Knox, but they'll go a long way towards keeping your business data secure and private.