Most businesses of any size have some level of network security in place, especially if they’re heavily regulated or retain sensitive customer data. That’s because most businessowners know a fellow owner who has had to deal with the fallout of a business security lapse. That might include stolen data, ransomware, social engineering, or a salesperson leaving town with the business’s entire list of customer contacts.
Servers, desktops, laptops and networking devices are often well protected, in part because there are thousands of Managed IT Service Providers in the US (just like us) working every day to educate businesses on the benefits of their services. But how about smartphone security?
You don’t hear phones mentioned as often, in part because there aren’t as many solutions Managed IT Service companies are able to offer. There are many reasons for this. First, smartphones are a relatively new phenomenon – antivirus software has been around since the early 90s for PCs, but smartphones are barely a decade old. Unlike work computers, most phones used for work are owned by the employee, used for personal purposes and house personal data; this makes it harder to secure the environment. Finally, everyone isn’t running the same operating system, much less the same version of an operating system. This means that each phone has different vulnerabilities.
All of these problems make it more important to safeguard phones, not less. And while we all wish better administrative software was available to help make smartphones more secure devices for workplace data, there are certain steps you can take today to improve the security of your employees’ phones.
Secure business emails with a mandatory PIN
If your employees are using business email on their personal phone, accessing that information should be behind a PIN number. This should be true even if they choose to leave other apps on their phone unsecured.
This security can be enabled at the server level – the email server will not sync with the phone unless a PIN is in use. But in many cases, it isn’t – one study found that 43% of companies have at least one smartphone accessing their network without any lock screen security. This means that a lost personal phone is a major security risk until the IT team can disable email access from that device. Who thinks about reporting a “misplaced” personal phone to IT? Not everyone, unfortunately.
Ask employees not to use personal passwords at work
It’s shocking how many companies have had their entire database of usernames and passwords stolen. Many of the largest companies on the internet have had this happen to them. And in many cases, those usernames are simply email addresses.
If your employees are using the same password for their business logins that they use for their personal website logins (their bank, pharmacy or pizza delivery company) that password is almost certainly floating around on the internet. That means it should take about five minutes for someone to “hack” their login at your business. That’s the time it takes to figure out the name of an employee based on their personal email address, look up where they work, and find the email address format at your company.
This problem is even worse on mobile phones. Many of these devices save passwords by default, so if the device is left unsecured, anyone can log into any service they find on the phone. And if the server requires two-factor authentication, that’s no help either, because the passcode is probably coming right to the stolen phone.
There are services out there that can help you ensure that your users aren’t using already-hacked passwords. Unfortunately, in many cases it’s up to the user to ensure that they aren’t saving passwords on devices like phones or laptops that can find their way into anyone’s hands. To guard against this, education is key. Explain the nightmare scenario of stolen credentials to employees, and explain how much work it will cause to change every password when a device with saved passwords gets stolen.
Require additional authentication from mobile devices
Sometimes, logging into software from inside your business’s network and logging in from the outside require different levels of security. For instance, if an employee is logging into your HR system from inside your building, there’s a good chance they are an employee – a username and password might be enough validation to provide access. But if they’re logging in from a phone, a bad actor could be one saved password away from that employee’s W-2. And if the stolen phone belongs to an HR team member or someone in senior management, they could be one saved password away from every employee’s W-2. Because of this, it might make sense to require a second layer of security for devices outside of the network.
To learn how WingSwept can help you protect your business’s assets and data, call us at 919-460-7011 or email us at Team_WingSwept@WingSwept.com.