Cyber Security

Phone Security: 20 Ways to Secure Your Mobile Phone

Every bit of sensible information and access now fits in the palm of our hands, inside our smartphones. Learn how to mitigate the risk that mobiles carry with them as attackers turn to target them.

Cell phone security has been a commonly overlooked threat for years. Phone security in general is one of those things that, it’s not a problem until it is, and when it is, it’s a big problem.

Every bit of sensible information and access now fits in the palm of our hands, inside our smartphones. Learn how to mitigate the risk that cellphones carry as attackers turn to target them.

——————————————————————————————————————–

Today’s mobile “phone” is a networked computer, a data storage device, a navigational device, and a sound and video recorder. It’s a mobile bank and social network hub, a photo gallery, and so on. 

That’s great, right!?

Sure, however, all of these functions make our mobile devices extremely attractive targets for malicious actors.

Since most of us don’t want to give up the ease of having all of our needs on one device, what can we do to stay safe? 

Two Words: Phone Security.

Phone security is the countermeasure to their malicious attacks. It’s about defending against the wide range of mobile security threats confronting our mobile devices.

What is Phone Security?

Phone security is the practice of defending mobile devices against a wide range of cyber attack vectors that threaten users’ privacy, network login credentials, finances, and safety. It comprises a collection of technologies, controls, policies, and best practices. Phone security protects us from mobile security threats of all kinds.

What are Mobile Security Threats?

A mobile security threat is a means of cyber attack that targets mobile devices like smartphones and tablets. Similar to a hacking attack on a PC or enterprise server, a mobile security threat exploits vulnerabilities in mobile software, hardware, and network connections to enable malicious, unauthorized activities on the target device.

One example of a surfacing threat is when hackers gain access so they can use our mobile processing chips to mine cryptocurrencies or make them part of botnets. A bigger picture would be access and theft of identity and personal accounts, which they can steal and sell for as low as pennies and as high as thousands. Our mobile wallets and financial information can be hijacked for the benefit of thieves.

Mobile security threats also include theft of login credentials for corporate networks. Indeed, mobile phishing attacks, which use texts and emails to trick recipients into clicking on malicious URLs, are up 85% in the last year.

Understanding Mobile Security Threats

Attackers are after our phones. They want to take control of them so they can use our mobile processing chips to mine cryptocurrencies or make them part of botnets. They are after our identities and accounts, which they can steal and sell for as low as pennies and as high as thousands. Our mobile wallets and financial information can be hijacked for the benefit of thieves.

Mobile security threats also include theft of login credentials for corporate networks. Indeed, mobile phishing attacks, which use texts and emails to trick recipients into clicking on malicious URLs, are up 85% in the last year.

Smartphone Threats to Watch Out For

Unfortunately, there are many different kinds of mobile security threats. New attacks regularly come to the attention of cybersecurity experts, the following are among the most common:

Web-based mobile threats.

Mobile websites can download malware onto our mobile devices without our permission or awareness.

Phishing is a typical way attackers get us to click on links to sites containing mobile threats. For example, a hacker might set up a website that looks legitimate (e.g. like our banking site) to capture our login credentials. What can we do about web-based mobile threats? Security software on our phones can help detect malicious websites and phishing attempts. It also pays to be extra careful and attentive. For example, the IRS will never send an email requesting our tax data. (They only use the US Postal Service.) An email pointing to an IRS website is almost guaranteed to be a scam.

App-based threats. 

Hackers create malicious apps that we download or even buy. Once installed, these apps can steal our personal data from our devices or spend our money with our tap and pay apps. It’s a good practice to check charges and purchases carefully. Keeping mobile software up to date also helps defend against malicious apps, as device makers periodically update their software to patch vulnerabilities that these apps exploit. The goal is to protect the information stored or accessible through the device (including personally identifiable info-PII, social accounts, documents, credentials, etc.).

These malicious actors sometimes even hide inside well-known and useful free apps that exploit vulnerabilities or take advantage of certain permissions to then download the malicious aspect into the phone. It’s important that, when an app asks for these permissions, their use is justified.

Network threats.

Mobile devices are usually connected to at least two networks. and sometimes more. These include cellular connection, Wi-FI, Bluetooth, and GPS. Each of these points of connection can be exploited by hackers to take over a device, trick the user or penetrate a corporate network. WiFi spoofing, for example, is a threat in which an attacker simulates the access to an open WiFi network and tricks users into connecting to then sniff sensible data that are being processed by this network. The suggested best practices are to switch off antennas that are not in use and make sure security settings are configured to prevent unauthorized WiFi access.

Physical threats.

This may sound obvious, but mobile devices are small and easy to steal. They also get lost pretty often. Without adequate device security, a stolen mobile device is a treasure trove of personal and financial information for a crook. To mitigate physical threats to mobile devices, it’s wise to establish strong passwords and set up the device to lock itself when not in use, as missing or stolen phones are the most common cases of physical threats. Anti-theft tracking software also helps recover a phone that’s gone missing.

How Can Companies Implement Mobile Security?

Organizations that provide mobile devices to their employees or let them use their personal devices for work must first establish strong security measures. The risks are simply too high for IT departments and CISOs to treat mobile security as a secondary priority. Based on our experience working with enterprises in mobile security, we recommend taking the following steps:

Establish a clear mobile usage policy. 

Mobile devices should be included in organization-wide security policies. Mobile security policies ideally will cover acceptable use, anti-theft measures, mandatory security settings, and more. The policy framework must include compliance monitoring and the remediation of deficiencies.

Segment data and apps on enterprise devices.

It is a good practice to segment mobile users into role-based groups with varying levels of access privilege. This reduces the exposed attack surface area if one device gets compromised. Segmenting applications will also prevent users from installing unwanted software that might end up infiltrating your network. 

Many companies create their own BYOD (bring your own device) programs that have been proven to keep company devices safe. To learn more, check out our article outlining best practices for BYODs.

 

Encrypt and minimize visibility into devices that have access to the company network. 

If a device gets compromised or stolen, it’s best if the malicious user cannot easily access data on the device. Nor should taking over a mobile device become a free pass to the enterprise network and its data. Achieving this objective involves  using identity and access management (IAM) system and data protection solutions.

Install security software on mobile devices.

This is a basic, but essential countermeasure. SecOps teams should treat mobile devices like any other piece of hardware on the corporate network. Tools like mobile threat detection and device and data protection tools can aid security teams in keeping those devices secure.

Monitor user behavior. 

Mobile users often don’t know their devices are compromised, or how sometimes they put themselves at risk. Monitoring user behavior can reveal anomalies that could point to an attack that is underway. In addition, automated monitoring will also prove crucial when making sure your organization’s mobile security policies aren’t infringed.

Build mobile security awareness through training. 

People are accustomed to consumer-type freedoms on mobile devices. It’s a wise policy to build awareness of corporate security risks inherent in mobile technology. Security training programs ought to include the topic of keeping mobile devices secure, what activities belong in their enterprise devices (and which ones don’t), and what day-to-day practices they can implement to avoid falling victim to common threats. Educating your employees can save your company lots of money and reduce mobile security threats dramatically.

How Can You Make Your Smartphone More Secure?

In 2017, the number of new mobile malware variants increased by 54%. With 5G on the rise, experts anticipate an even higher number of risks in 2020. This makes it more crucial than ever to take the necessary steps to protect your personal device from mobile threats.

Phone protection steps, regardless of your operating system:

Set up fingerprint or face recognition 

Losing your phone is probably not uncommon, and having a secure passcode (especially something like fingerprint/facial recognition) will keep your phone safe from anyone who might happen to find it.

Use a VPN

VPNs essentially provide you with a secure phone connection to a private server, instead of you having to share it with everyone else on the public network. This means that your data is safer because it is encrypted as it travels from server to server.

Enable data encryption

Many devices already have encryption enabled, if your device doesn’t, you’ll need to set that up. Data encryption can protect your information from hackers by scrambling it in a code they don’t recognize as it travels from server to server (when it’s most vulnerable).

Set up remote wipe capabilities

This ability enables you to remove any data from your phone, even if you no longer have the physical phone itself. It’s a great safety feature in case your phone is lost and you can’t find it. The process to set up remote wipe differs by device. This guide from the IT department at Northern Michigan University will outline how to enable remote wipe, whatever device you have. 

 

If you have a device management product like Prey, remote wipe is likely part of the service they offer, along with other capabilities like tracking.

Using Prey, you can remotely execute a full format of your mobile device to make sure none of your personal information is accessed, on-demand, and at any moment. Because it will delete everything inside the device including the Prey agent (that’s how efficient it is), Wipe should only be used when recovering the device is not as important as securing your data.

Mobile Protection for Android Users

  1. Only buy smartphones from vendors who issue patches for Android
  2.   Do not save all passwords
  3.   Use two-factor authentication
  4.   Take advantage of built-in Android security features
  5.   Make sure your WiFi network is secure (and be careful with public WiFi)
  6.   Use the Android security app
  7.   Back up your Android phone’s data
  8.   Buy apps only from Google Play
  9.   Encrypt your device
  10. Use a VPN

Mobile Protection for iPhone Users

  1.   Keep your iPhone operating system (iOS) up to date
  2.   Activate the “find my iPhone” feature
  3.   Set up a passcode longer than the 4-number preset
  4.   Enable two-factor authentication
  5.   Set the phone to “self-destruct” i.e. wipe itself after 10 failed password attempts
  6.   Regularly change your iCloud and iTunes passwords
  7.   Avoid public Wi-Fi and only use secure Wi-Fi
  8.   Use only trusted iPhone charging stations
  9.   Disable Siri on the iPhone lock screen
  10. Revoke app permissions to use the camera, microphone, etc.

Takeaways

As hackers continue to target mobile devices, it’s time to take phone security and mobile security threats more seriously. Mobile devices are just as vulnerable, if not more vulnerable, than PCs and other types of computer hardware. They are exposed to threats in the form of malware, social engineering, web attacks, network attacks, and physical theft.

Whether you are in charge of an organization’s security, or you are looking to protect your own gadgets, be someone with a plan. Start with awareness training and robust security policies, and then move towards taking more technical countermeasures to mitigate the risk.

We still call the mobile devices in our pockets “phones,” but let’s be honest, they’re much more than that.

Today’s mobile “phone” is a networked computer, a data storage device, a navigational device, and a sound and video recorder. It’s a mobile bank and social network hub, a photo gallery, and so on. 

That’s great, right!?

Sure, however, all of these functions make our mobile devices extremely attractive targets for malicious actors.

Since most of us don’t want to give up the ease of having all of our needs on one device, what can we do to stay safe? 

Two Words: Phone Security.

Phone security is the countermeasure to their malicious attacks. It’s about defending against the wide range of mobile security threats confronting our mobile devices.

data loss
About the author

Hugh Taylor

Hugh Taylor is a Certified Information Security Manager (CISM) who has written about cybersecurity, compliance, and enterprise technology for such clients as Microsoft, IBM, SAP, HPE, Oracle, Google, and Advanced Micro Devices. He has served in executive roles at Microsoft, IBM, and several venture-backed technology startups. Hugh is the author of multiple books about business, security, and technology