info@qualityplusconsulting.com l +1 262-553-6510

If everyone in your business team were given a smartphone, what strategies would you employ to help them to learn how to effectively communicate with it?

When technology is used in business, a business has to consider risk, liability, and security in the usage of that technology. Businesses have to consider how the information on the smartphones should be protected from compromise due to Internet-borne viruses, physical theft, text-based hacking, or physical loss by employee. So systems and policies must be put in place to mitigate these risks.

 


Mitigate text-based hacking
Texting presents the most significant risk to hacking smartphones. Currently, there are not a lot of viruses that are capable of hacking a smartphone by simply browsing web pages. If you were to download something from a website, that is another matter. That issue can be addressed through staff training. Allowing texting on business phones is such a security risk that I would simply disable it at the source, with the phone service provider. To learn more about how easy it is to hack smartphones using texting, check out the following resources. Some videos are included in the articles as well. It's a real eye-opener.
Three simple steps to hack a smartphone
Hacking phones using texting

There are also e-discovery compliance considerations that business has to consider. Allowing texting on phones would mean that an organization is leaving themselves wide open to e-discovery problems. Let's say a lawsuit is filed against your organization. You have to immediately start capturing and archiving all related electronic data. That could be all communications sent and received by your sales force including texting on their phones. That is a logistical nightmare. There are no automated solutions available to address this issue. Whereas, there are a plethora of products available on the market to deal with e-discovery requirements for email on Exchange servers.

If texting is disabled on the smartphones, then the staff will simply have to use the email that is configured through ActiveSync. (I assume we would only be using Windows Mobile because it works securely with Exchange. See a previous article on fake smartphones.) This means that all email that is sent or received on those phones has been scanned for spam and viruses at the Exchange server before it even gets to the phone. This is critical considering that there are currently no effective antivirus solutions for smartphones on the market. Also, by forcing the staff to use email on the phone, your plans for e-discovery compliance remain intact.

Physical theft or employee loss

Exchange servers have remote wipe functionality now for smartphones. So you can tell the Exchange server to send a wipe command to the smartphone. There are limitations however. This assumes that the smartphone is actually checking in with the Exchange server, which may not be the case. The remote wipe also cannot wipe an add-on memory card like a microSD card that may be in the phone. These are commonly employed for storing email attachments. Ensuring that these microSD cards are encrypted should be a priority before these devices are given to employees to use.

Personally, I don't count on the reliability of the remote functionality because if I was a thief, the first thing I would do is take that phone to a place where there was no cell service. These places are not hard to find. The cellphone could be put under a metal bucket while it is being hacked. This would likely block functional cell signal. So another mechanism to ensure the integrity of the data on the phone is required.

The need to encrypt the entire phone
As mentioned in my article on fake smartphones I discussed the fact that no phone manufacturer is currently offering a viable option for encrypting the entire contents of the phone. This is a major gap in security. You may be able to configure email attachments to store on a microSD card, but that does nothing for your calendar, contacts, and mail folder data itself. Also, your email password is stored somewhere on the phone in the ActiveSync settings. A hacker would surely be able to figure out how to harvest that on an unencrypted device. As a result of this need to encrypt the entire phone, a piece of software like PhoneCrypt is required. It encrypts the entire phone contents, not just the microSD card.

This dramatically helps you in situations where you have to go through customs as well. When you go through customs, you lose all 4th Amendment protections and become equivalent with a terrorist. Customs is regularly making full copies of all the data on your phone and they may even sieze the phone and you will never see it again. As a result, many executives are simply not taking configured phones with them when they travel internationally. It is easy enough to take a blank or wiped phone with you, and then sync it when you get past customs. Then you can have your IT wipe the device again before you come back into the country. I know several companies that are using this strategy today.

There's another issue here that you may not have even considered. What about the security of the phone calls themselves? Since the Patriot Act, then NSA has been making copies of every phone call made, domestic and international. So how do you have any privacy for inter-company communications or phone calls between executives discussing confidential business issues? PhoneCrypt addresses this issue as well. PhoneCrypt can encrypt a phone call that is between two devices that have PhoneCrypt installed and send that call over the data channel. This makes the phone call content unreadable to the NSA or anyone else who snoops.

Employee training is mandatory
Training and written policies are key in enabling employees to safely and effectively use technology. Unless people are trained, they tend to do stupid and risky things with their phones. 
CSO has a really nice article on stupid things people do with their phones.
The training must also address the issue of Internet-borne viruses and malware. Employees should be trained to only visit approved websites and never download anything to the phone, including ringtones and other seemingly innocuous stuff. It must be stressed that the smartphone is a business tool, not a toy.

IT and management should collaborate to make the training documentation that is issued to staff and covered in the training session. A good start is a document written by David Bach on 10 Steps to Cell Phone Security.

The staff should be trained hands-on in small groups of 5 or less at a time. This way they get a lot of interaction time with the phones and with the IT staff that is training them. From a usability perspective, some of the topics IT should cover include:

 

 

  • Using contacts and global address list to find contact information, call and/or email
  • Using email, signatures, and attachments
  • How and when to sync
  • How to reboot the phone if needed
  • How to setup a PIN on the phone and setup proper timeout settings
  • How to use bluetooth headsets
  • Phone safety while driving
  • Using various keyboard input methods
  • Collaborating with executive assistants while out of the office


Business-only use
This should be obvious, but it is worth stating nonetheless. Too many people hook up their personal email accounts to the smartphone that has been provided by the company they work for. This compromises the security of the phone, the entire global address list of the company, customer contacts, company email, and data files. I can't stress how important it is for your IT staff to do random and unannouced audits of smartphone configurations throughout the organization. You must check and enforce the policy that no other email account is allowed to be configured to talk to the smartphone other than company email.

Summary
By now it should be obvious that to simply purchase smartphones for your staff and deploy them would be extremely foolish. This is why it's so critical that you utilize IT experts. If your business is a small business with no IT employees or even one IT employee, you cannot expect that they are security experts. This is a prime example why you should utilize the services of an IT security consultant like Quality Plus Consulting. Not getting competent advice before you introduce any new technology into your business is like driving at night on an unpaved road while blindfolded. You can't see where you are going and you don't know where the obstacles and pitfalls are.

Linkedin