If you have a mobile phone which you use for business do you wonder about mobile device security? Do you have any idea which of your staff have company data on their personal phones and whether it’s password protected?
What happens if your device has confidential data on it and you lose it or it’s stolen and infiltrated by a cyber attacker? You may think that it is hardly your fault if someone steals your phone but it could cause a massive data breach and all kinds of implications for you and your business.
Furthermore, your phone doesn’t need to be physically stolen – quite often, cyber criminals steal your data while you’re still using it! And it can sometimes take months before you or your business find out.
Don’t bury your head in the sand about mobile device security
If you use your phone to access business emails and files it should have robust protection, especially if data is sensitive or valuable – and to comply with regulations such as GDPR. Those working in regulated industries like financial services and the legal sector in particular should be aware of this.
It’s not just us saying this. We recently held a webinar with IASME – a company which focuses on information assurance for small companies and the supply chain. IASME worked with the UK government to develop the Cyber Essentials scheme and was awarded the contract to be the sole National Cyber Security Centre (NCSC) Cyber Essentials Partner from April 2020.
In the webinar, IASME’s CEO Dr Emma Philpott explained that Cyber Essentials security controls cover mobile phones, including employee-owned Bring Your Own Device (BYOD) hardware and USB data storage devices, which are used to access or store company data.
IASME recently stated on its website:
“There are many organisations that might not wish to include BYOD as they may not want the headache of asking their employees and contractors for details of their devices. However, BYOD is probably the biggest risk to any company, and consequently these devices must be included within the scope of the assessment. Cyber Essentials requires an organisation to understand where their data is and which devices are accessing their network and services. Many home workers are accessing cloud services such as Microsoft 365 and Dropbox from their personal devices as well as connecting to the office network. At the weekend, they might be using the same device to play games or access their personal email. The organisation that they work for has no control over what they may be viewing or downloading. Malware can be stored on a device giving no indication that it is there, until the device connects back into the office network or cloud service where the malware can be transferred with devastating consequences for the organisation.”
Taking cyber security seriously
Cyber Essentials is an important certification for SMEs which:
• require the extra protection because they’re in a regulated sector;
• or want to demonstrate they have the standard when applying for certain contracts;
• or to prove they take cyber security seriously.
Businesses who have the Cyber Essentials certification can protect their mobile phones, secure sensitive data and systems and show their clients and contacts that they are, indeed, serious about cyber security.
Find out more about Cyber Essentials and recent updates to the scheme – you can sign in to see the full video recording with IASME here.
Device security strategy
Businesses should have a practical device security strategy. You could, for example, require your employees to have a separate phone for all their work but that can be expensive. So if business is going to be carried out on a personal mobile phone it has to have some controls on it.
Your strategy must be clear and address device usage and related risks. It should include sensible measures to protect the data on the device, which should be set out in writing and agreed with users. The measures must be easy to use and unobtrusive from the user’s point of view. They might include:
• Mobile device management (MDM), which protects both client-owned and employee-owned BYOD mobile phones, tablets and USB storage devices.
• Encryption of the data on the mobile devices so it’s unreadable if it falls into the wrong hands.
• An administrator should be able to revoke access remotely and also delete the data if a device becomes compromised.
If you would like advice about which measures would be best for you, contact us on the form below.
