What are the security risks of my team using their own smartphones for work?

Mobile phone security – do your team use their own smartphones for work?

Having work email accounts and possibly data on personal smartphones is commonplace for many businesses.

The convenience of being able to quickly access important mail, documents or other key pieces of information on the move is one compelling reason.

Another is the fact that one can actually have multiple accounts on the one device.

And a big financial advantage is not having to buy a separate work phone for each team member.

But there are real risks to this solution, and we will go through them in this article.

Ultimately, the power of a smartphone (what it can do) means that it has become vulnerable to cyber-attack either via a remote attack or simply someone (who shouldn’t) getting their hands on it.

Hoping for the best or blind ignorance are not your friends here. Taking responsibility and assessing the risks are going to keep you safe.

Is it password protected? Nearly every smartphone in existence can be secured with either a password or a biometric lock (think fingerprint or facial recognition). Simply being able to swipe and open the phone gives the thief or opportunist the ability to get into your phone and get access to the Crown Jewels. It takes seconds to set up and should be the very first thing you do.

Biometrics. Many phones can now link the purchasing of services to a biometric such as fingerprints or iris scanners. This helps to minimise unauthorised purchases in the event that it has fallen into the wrong hands.

Encrypt the device. iPhones are encrypted as a default but not all Android phones are. This means that it is possible if a phone is stolen, that the data on it can be read. Look at the manufacturer’s website about encryption options and always encrypt where possible. Personally, I would never use a smartphone that I can’t encrypt.

If the device is lost or stolen there are several things to think about here. Do you know what work data is actually on the phone? Which email accounts does it access? Can it see any cloud data? If so, what? Are there any other apps – such as banking, booking services (think Uber, Amazon, anything where pre-stored purchase data is kept). Both G Suite and Microsoft have simple mobile device management tools that can either completely wipe a phone remotely (when it appears online) or even selectively wipe. The latter is very useful in the scenario where a team member uses their own phone at work because it can be configured to only wipe work data/email accounts rather than the whole phone.

Mobile app breach (malware). Whilst this is generally more of a concern for Android-based phones (e.g. Samsung), this should be a warning to everyone. Only install reputable apps on the phone. Downloading some app to illegally stream sports may seem like fun, but this kind of app is exactly the path that cyber criminals would take to try and infect your phone with all sorts of unpleasantness. The very fact that the app offers illegal streaming of sports, should be a wake-up call.

Only use non-jailbroken phones. Some of your techie-minded team may know how to hack or “jailbreak” their phone and install a customised operating system. Maybe there are advanced apps they like to use or are simply just curious.

What they do on their own devices may be their call, but the second you have work data on the phone – then they are ultimately threatening the security of not only the device but also the work environment. Think ransomware virus into a Dropbox or SharePoint or Google drive.

Non-secure WIFI. When you are in a Starbucks (for example) whilst waiting for your next meeting, and you connect to the WIFI network called “Starkbucksfree” – you are making some assumptions. Firstly, this WIFI is actually supplied by Starbucks and secondly that this is safe to use. Think again. Often, these networks are set up on the fly by cyber-criminals that redirect devices to sites that mimic legitimate suites with the aim of stealing password and banking credentials. There are many examples of users falling foul of this scam and it is no fun to be caught out by it. By subscribing to a secure VPN service, even when using a free site, the internet traffic on your phone is guaranteed to use secure servers to route your traffic. This means when you go to Google, you really are going to Google!

My phone automatically switches to such a service whenever I am connected to any WIFI network – so I don’t need to worry about such issues. You could too!

Business compliance. Depending on your type of business and what you do, there may be compliance and insurance criteria that require you to address some or all of these issues. Without them, your insurance may be void or your compliance may be rescinded. Worth bearing in mind.

Never be complacent. Cyber defense is a moving target. This is a “spy-vs-spy” world where each week a new development appears and as such – never rest on your laurels.