How to Secure Your Smartphone
Smartphones can be a significant cybersecurity risk, in part because many owners take a lackadaisical view when it comes to properly securing them and attackers know it. Couple this with the reality that smartphones are network-connected devices that store all kinds of data, including passwords, personal and financial information, location data, documents, photos, and client confidences. The reason smartphones are such an attractive target becomes self-evident. Now, add into the mix that there is no work-from-home or personally-owned device exception to the rules of professional conduct and your obligations as a lawyer become clear. Every smartphone anyone is using for firm business must be properly secured. There can be no exceptions.
What type of threats do we need to be concerned about?
The following are the most common concerns:
Phishing attacks that use social engineering tactics in order to trick someone into doing something that enables a successful attack
The attack vectors vary. It could be anything from placing a malicious link in an email or text message, leaving a concerning voicemail, sending numerous multifactor authentication (MFA) prompts at 1 in the morning hoping the target will eventually accept one, and the list goes on. Should someone click on the malicious link, return the wrong call, or approve that annoying MFA request, it’s game over. Making matters worse, the victim will often not even be aware that their actions enabled a successful hack.
The downloading of a malicious app
Malicious apps may be available for free or for a price and can even be hidden inside well-known useful free apps. Malicious apps typically exploit software vulnerabilities on the smartphone that can allow a hacker to access device data.
A smartphone’s ability to connect to a network via GPS, Bluetooth, Wi-Fi, or cell service can be exploited by hackers in multiple ways. A few examples include users being tricked into logging into fake sites, unwittingly connecting to rogue networks or access points, or unintentionally allowing access to their geolocation data.
Smartphones are small, easy-to-steal devices that contain a treasure trove of valuable information.
What steps should we be taking to address the problem?
While there are additional things that can be done, such as regular user training on how to spot a phishing, smishing, or vishing attack, if your firm is able to accomplish all of the following, you’re going to be off to a great start.
Secure all smartphones: Set pins and passwords and make them as strong as possible. For device passwords, this means all passwords should be comprised of a combination of numbers and letters that is at least 8 to 10 characters in length. The longer, the better and the use of a unique passphrase is fine. Avoid using facial recognition or fingerprint scanning as biometric based security is less secure. Enable the auto-lock feature and set it to lock if the phone is idle for no more than 5 minutes. A setting of 1 minute would be even better. Also, enable the “find my phone” feature. This feature will help you locate a lost or stolen phone and will also help you remotely delete your phone’s data should that ever prove necessary.
Enable an auto factory reset after 10 to 15 incorrect attempts to unlock the phone. This will delete most data, including downloaded apps should someone try to gain access to a phone’s data. And finally, make sure that the encryption function is turned on as one additional step to protect the data stored on each device. Note that on some smartphones data encryption is built-in.
Keep all phone operating systems and apps up to date – Enable auto-update and accept those updates whenever they are made available. Users may need to manually check for app updates, which should be done at least monthly.
Install a robust security app on all smartphones – Examples include Bitdefender, Norton, Trend Micro, and VIPRE. Avoid using free versions of security apps as free versions will not provide the same level of protection. If the security app comes with a VPN, turn that on. If it doesn’t, then also install a VPN app on all smartphones. While any data stored on a smartphone is encrypted if encryption is enabled, data traveling to or from a smartphone isn’t. The use of a VPN addresses that concern. Here again, avoid the use of free VPNs if you want to have your data stream be as secure as possible. Examples of trusted VPN providers include CyberGhost, NordVPN and ProtonVPN.
Disable Wi-Fi auto-connect and Bluetooth auto-pairing. In addition, it’s a good idea to turn off Wi-Fi and Bluetooth when they are not in use. In short, you don’t want to leave a potential entry point open and unmonitored.
Institute a firmwide policy that prohibits the downloading of any apps from untrusted sources. Stick to using apps available from your devices’ official app store, for example the Google Play Store and the Apple App Store. Many apps from untrusted sources contain malware that can steal data and install viruses just for starters. In addition, train users to be cautious about accepting all requested app permissions. Permission should only be granted to phone features that the app needs to function properly. For example, why would a flashlight app need access to a phone’s location data, and the contact list? Don’t grant these kinds of permissions to any app that doesn’t need them.
Finally, never donate, recycle, resell, or otherwise replace a smartphone without erasing all of the data, signing out of and then deleting all downloaded apps, and resetting the phone to factory defaults. Letting go of a smartphone without properly deleting all data is just asking for trouble.
Authored by: Mark Bassingthwaighte Risk Manager
Since 1998, Mark Bassingthwaighte, Esq. has been a Risk Manager with ALPS, an attorney’s professional liability insurance carrier. In his tenure with the company, Mr. Bassingthwaighte has conducted over 1200 law firm risk management assessment visits, presented over 550 continuing legal education seminars throughout the United States, and written extensively on risk management, ethics, and technology. Mr. Bassingthwaighte is a member of the State Bar of Montana as well as the American Bar Association where he currently sits on the ABA Center for Professional Responsibility’s Conference Planning Committee. He received his J.D. from Drake University Law School.