As per a recent statistic, about a million mobile handsets are getting lost every year. While mobile phones carry valuable data such as business contacts, emails, documents, pictures, videos, etc. and senior management executives are increasingly using their smart phones compared to laptops, securing mobile phones is not given top priority in the IT security agenda of many business organizations. It is highly recommended that every organization includes a ‘Mobile Phone Security Policy’ in their IT Security Policy and Procedures. The policy may include a security checklist similar to the one given below.
1. Physical Security
a. Mobile phones should never be left unattended.
b. Lending the phone to another person should be avoided.
c. Enable ‘Lock Mobile’ on removal of SIM card if such feature is available in the mobile.
d. Enable ‘Mobile Tracker’, if this feature is available in your mobile. By configuring this feature, whenever the SIM is replaced by another SIM, a distress SMS will be sent to a set of user pre-configured mobile numbers without any indication on the compromised mobile. Once distress SMS is received, the mobile can be located with the help of the telecom service provider / police. Some mobile tracker software also aids ‘remote wipe’ of data.
e. Some mobile security solutions like the one from Kaspersky have features like remote lock, remote data wipe etc. Users may consider these solutions to be implemented in their handsets.
f. Database of IMEI (International Mobile Equipment Identity) numbers of all mobiles in the organization with their respective user names should be maintained by the IT department. This will be required in case of reporting loss to the police authorities or the service providers.
2. User Authentication
a. Protect your mobile using passwords and PINs
b. Enable and configure the automatic timeout feature in your mobile phone. This feature locks the handset after reaching a present inactivity time threshold.
3. Data Backup
Data can be backed up in the following 3 ways:
a. Copying the data onto the memory card. But this only protects the user from data loss due to a hardware failure.
b. Synchronizing the data with a desktop. Most mobiles come with a backup / synchronization utility to facilitate this.
c. Backing up service provided by the Telecom Service Provider.
4. Data Encryption
Most smart phones come with encryption facilities. Encryption of both device contents and memory card contents should be considered.
5. Avoid unknown contacts and suspicious websites
a. Avoid message / file downloads from unknown contacts.
b. Avoid file downloads from suspicious websites.
c. Avoid installing unwanted and suspicious applications.
d. Incoming bluetooth connections should not be accepted unless from known sources.
6. Turn off wireless interfaces when not used
a. Wireless interfaces such as Bluetooth, Wi-fi and infrared should be turned off if not in use.
b. Automatic connections to data services such as GPRS and EDGE should be turned off when not in use to avoid malware infection and spreading of malware by infected handset automatically.
c. Adjust bluetooth connectivity power setting to lowest levels to prevent long range attack.
7. Prevention and detection software
Prevention and detection software to defend against malware and other forms of attack is an important step in securing the mobiles. Most mobile devices come with these kind of security features. If not, users may evaluate third party products. Organizations may consider implementing centralized security management to have a single, unified and centralized control over all the mobile devices used within the organization. The security software should have the following functionalities:
a. Firewall
b. Antivirus
c. Intrusion Detection
d. Anti-spam
e. VPN
f. Group Security Policy
g. Remote locking
h. Remote diagnostics
8. Patch Management
Mobile manufacturers come out with new patches and upgrades to fix security holes in the existing operating system of the handheld device. Users should update their OS at periodic levels by checking the manufacturer’s website.