Table of Contents
Do you know that the number of mobile phones is quickly reaching the number of the worldwide population (7.8 billions)? That's an impressive number which is still growing steadily and will potentially reach 10 billions within the next 2-3 years.
Unfortunately, such rapid increase will also increment the activity of cybercriminals, who are constantly adapting their strategies and attack methods to profit from such ever-growing number of potential victims: these methods mostly rely to the existing vulnerabilities affecting apps, operating systems, and software, most of which are still unknown (Zero-Day bugs). The main targets of these attacks, needless to say, are user data: credit card, passwords, contact lists, and so on.
How to effectively prevent these attacks from taking place and secure your mobile device's data? This post contains a number of suggestions, best practices and authoritative refences that can help people, as well as business companies, to effectively manage their cybersecurity structure and protect themselves from mobile data breaches.
Mobile Security Best Practices
Let's start with a list of some common best practices from a number of authoritative sources.
- National Security Agency: Mobile Device Best Practices. This document comes from NSA, the United States National Security Agency, and has been released to the public in July 2020. It features a great table that lists the most common threats and the corresponding countermeasures you might want to adopt in order to mitigate the risks.spearphishing
- Kaspersky: Mobile & BYOD Security Technologies Whitepaper. This document is a collection of useful recommendations from Kaspersky Lab, the IT security team of the renowned cybersecurity company founded in 1997. The whitepaper addresses the typical vulnerabilities of mobile & BYOD devices, which undoubtely bring some new security issues: from physical stealing to new kinds of malware, from the lack of encryption measures to the dangers that might come from mixing personal and corporate data.
- Samsung's Mobile Security Best Practices. Here's a list of 10 security best practices from Samsung Technologies, the world's biggest company selling mobile devices together with Apple: upgrading, using MDM software, whitelisting/blocklisting, 2 Factor Authentication, Customization, Separation of Contexts, patch management, user training, security awareness, password management tools, and so on.
- ENISA's Smartphone Secure Development Guidelines. A technology neutral, comprehensive list of guidelines from the European Union Agency for Network and Information Security, written for developers of smartphone applications as a guide for developing secure mobile applications. An invaluable resource for mobile developers seeking to improve the security posture of their apps, as well as their underlying source code.
- ENISA's SMAShiNG. Acronym for SMArtphone Secure developmeNt Guidelines: this resource is not a document but an interactive online tool that maps security measures for smartphone guidelines; the tool has been created to support software developers to build secure mobile applications.
Mobile Security Cheat Sheet
Now that we've listed the most relevant contributions to mobile security, let's try to summarize the lesson learned by identifying six major security countermeasures that can be taken to effectively protect your mobile phone's data.
1. User Authentication
Protecting your device with some form of authentication before allowing its usage will definitely play a huge role to prevent data breaches coming from physical thefts and unauthorized accesses: the minimum way to properly minimize such risk is to have the screen lock turned on and require a password or PIN to gain entry. Furthermore, don't forget that most devices have Face ID, Touch ID and/or some other sort of biometric-based authentication, which certainly help to increase the overall security posture.
2. Keep the OS up-to-date
Don't underestimate the importance of constantly update your device's operating system, as well as your apps: using outdated software will greatly increase your mobile device vulnerability against zero-day bugs. Most vendors, such as Apple, Google and Microsoft, are constantly providing security updates to stay ahead of these security vulnerabilities, and keeping up with these updates is imperative in order to keep up with these updates.
3. Avoid public Wi-Fi services
Using a public Wi-Fi service (coffee shop, airport or hotel lobby) might be convenient for a number of reasons: however, it's definitely not the best way to keep your mobile phone's data secure. Any time you connect to another organization’s network, you’re increasing your risk of exposure to malware and hackers: as a matter of fact, even a non-professional hacker can intercept traffic flowing over Wi-Fi nowadays and use such methods to access valuable information such as credit card number, bank account numbers, passwords and other private data.
4. Use a Password Manager
According to a recent poll, password managers are used by less than 15% of people owning a mobile phone. This is a ridiculous percentange if we consider how much important these tools became nowadays, since we need to deal with hundreds of usernames and passwords and there's no chance we'll remember each one of them: such approach lead to a lot of insecure behaviours, such as use the same passwords for many different services, which obviously pose a high security risk if one of them experiences a auth data breach or becomes compromised in any way. Password managers minimize such risk by providing a centralized vault to securely store all the passwords in a single place: such approach will make it easier to maintain secure, unique passwords; this means that your passwords will be much harder to guess and - most importantly - you'll be able to make them "unique" (a different password for each website) as they should be.
To unlock the "vault" containing all of your passwords, you'll use a single "master" password that you'll have to remember, as well as some additional authentication methods (2-Factor Authentication is strongly suggested).
5. Remote Lock and Data Wipe
Remote lock and data wipe are two business features that might be too overkill for most end-users, but it can be a life saver for most companies that entrust their employees with mobile and/or BYOD devices. Thanks to these features, whenever a mobile device is believed to be stolen or lost, the business has the ability to protect the lost data by remotely wiping the device or, at a minimum, locking access.
It goes without saying that adopting such policy means giving the business permission to delete all personal data as well: however, this can often be acceptable if the employee is using the device for work and therefore fills it with business data that should be protected from unauthorized access.
6. Activate a Backup Plan
Last but not least comes the king of data security countermeasure: backing up your data. However, for mobile devices things might be a bit more complicated than desktop machines since they are rarely connected to a network provided by a local hard-drive, a network-based NAS or other on-premise backup devices.
For that very reason, you should consider a cloud-based backup. If you choose such approach, be sure to select a cloud platform that maintains a version history of your files and that allows you to roll back to those earlier versions, at least for the past 30 days: Google’s G Suite, Microsoft Office 365, and Dropbox are all good examples for this level of service.
That's it, at least for now: we sincerely hope that these mobile security guidelines will help you to minimize the risk of data breaches and keep your mobile devices safe.