The case for mobile device security

Our mobile devices have become so ubiquitous in our daily lives that we often take their complexity for granted. Flashlight, pocket watch, day planner, weather station, camera, news, banking, music, email, texts, phones — mobile devices accomplish far more than anyone would have imagined 10 years ago.

We also take for granted how much information is accumulated on one small, easily lost or stolen piece of hardware. Unfortunately even the most innocuous data can become valuable information to an attacker. Here is some of the most common data stored on a mobile device, and how it can be used against you or your business.

Email
Email is a prime target for an attacker. The wealth of information accumulated in email rivals our financial information. We don’t protect email like we protect our bank account, but we should. In the hands of a nefarious snooper, email on a mobile device can do serious damage.

Far too much online security is predicated on the assumption that access to email is secure. However, a few quick searches through the “all mail” folder on your mobile device will return a list of online accounts, purchases, welcome emails, connections through social media, and tons of other launching points for an attacker. Many websites use an email address as a username, so the only additional level of authentication is the password, which can be reset and emailed to the account on file, which is accessible to the person holding the mobile device. What happens when you forget your online banking password? You receive a temporary one via email. 

Within the context of business, emails contain attachments, internal communications, price lists, communications with customers, and a whole host of other sensitive information that could cause substantial reputational, financial or legal damage if lost.

Contacts
Most contact lists seem harmless, and some probably are, but valuable information can be contained in these apps. The lifeblood of most business is connections with people. Suppliers, customers and key business partners work together to create the value of the business. Losing contact lists on a mobile device could damage those relationships through loss of trust. Even worse, contacts could be sold or provided to a competitor, reducing your competitive advantage. 

Calendar
A calendar may include less sensitive data than email or contacts, but could still help build a profile about the owner of the mobile device. For example, the calendar may list a reminder to pay a bill, details about a teleconference meeting or when a sales presentation will be given. All of these conditions are perfect for an attacker to generate a spear phishing attack — a malicious email designed for a specific target in an attempt to trick the user into clicking on a link, thus compromising the computer and internal network.  

Social media
Our online identities have manifested themselves on our mobile devices. Whoever holds our mobile device can access, update and change security settings on Facebook, LinkedIn, Twitter and any other social media app. Whatever personal information about you that couldn’t be gathered through email can almost certainly be accumulated through social media. The reputational damage that could occur through fraudulent postings or pictures is only the beginning. Answers to challenge questions from financial or credit related sites can often be found in a social media feed.

Multi-factor authentication
Websites that have the strongest authentication techniques use multi-factor authentication by providing an app or sending an SMS text that generates a random number as part of the authentication process. When an attacker has access to your mobile device, they also have access to the random number, circumventing multi-factor authentication.

Enabling systematic controls to minimize these risks are too easy not to use. Every mobile device should be using some sort of passcode or password.  Individuals should turn on the mobile device tracking feature that allows the mobile device to be remotely wiped. Businesses using mobile devices should deploy some form of Mobile Device Management (MDM) software and, at a minimum, force a passcode and encryption on any device accessing corporate data. All users who connect their device to the corporate network should be trained to immediately contact the appropriate level of management when their device is lost.

We have embedded mobile devices into our communication tool kit and should protect that data with the same rigor as corporate data and personally identifiable information. Unfortunately, the physical and logical security of mobile devices is too often overlooked, exposing a treasure trove of information to prying eyes.

Bryan Newlin is an IT Audit Manager with Yount, Hyde & Barbour’s Risk Advisory Services Team in Winchester. Newlin is also a member of the Virginia Society of Certified Public Accountants (VSCPA). For more information contact Bryan at (540) 662-3417, [email protected], or by visiting http://yhbcpa.com