After a long night of surveillance and report writing, you decide to get some rest. As you're about to drift off to sleep you remember that you need to set the alarm on your phone. You panic as you realize your phone is missing, and you may have left it at the restaurant earlier that night. You immediately jump in your car and return to the restaurant, but to your dismay, the staff hasn’t seen it and no one has turned in anything. You decide to retrace your steps in the hopes you left it somewhere in at home. After double checking your car, and tearing apart your house for the second time, you have nothing. You are filled with dread as you come to the realization, your phone is gone!
This scenario happens all too often, and for those who carry sensitive information in their pockets, “what happens to the data on a mobile device when it’s lost?” is an important topic that must be addressed. When using digital devices to access and store sensitive data, a protocol should be in place to deal with situations when an employee has lost a laptop or mobile device. The liability that comes with using and storing sensitive data is not one to be taken lightly, and if you haven’t created a plan to prepare employees on how to handle, protect, and dispose of this information, it is definitely time to evaluate the process.
The CDW Corporation provides an extensive checklist a great start for any mobile risk management policy. While you’re working on a comprehensive policy, here some practical things you can implement right away that will immediately reduce your risk:
Turn off AutoFill in browsers: While it may save you some time, the risk of your device auto-populating account information can put your data at risk. If your device(s) are stolen or compromised, AutoFill may make it easier for your digital accounts to be accessed by an unauthorized user. You can disable AutoFill in Chrome, Safari, Internet Explorer and Firefox. As an alternative, consider using a password manager to store all of your credentials.
Avoid saving data you don’t need, encrypt what you do: Data should be encrypted when you are downloading, uploading, or storing it. Rest assured all data input into Trackops is encrypted, however, the files on your local drive may not be. Fortunately, many mobile devices are encrypted by default these days, however some phones and most personal computers are not. If you aren’t sure if your device(s) are encrypted, or don’t know where to begin, Micah Lee at The Intercept details some best practices for encrypting your data.
Don’t use public Wi-Fi: Some things (ok, all things) are best not accessed via public Wi-Fi. Connecting to public Wi-Fi is dangerous because your connection is not encrypted, meaning your information is susceptible to being snooped and snagged by unscrupulous individuals.
Regardless of if you’re looking at a bank statement, or simply sending an email, when you access data via public Wi-Fi, your information may be at risk. David Maimon at the University of Maryland explains the dangers of public wifi:
“the major hazard with public Wi-Fi is the fact that all the information you’re transferring between your computer and the computer that you’re accessing is available to everybody on the network.”
If you must use public Wi-Fi, you should consider using a virtual private network (VPN), and force your browser to use HTTPS (which secures browser information via encryption) with an extension like HTTPS Everywhere.
Require passcodes for devices: Why make a crime of opportunity even easier by leaving your smartphone, tablet and laptop without its most basic layer of security, the passcode? As Microsoft's chief online safety officer, Jacqueline Beauchere explains:
"using a PIN or unique password is the single most important thing to do as a user of a smartphone to protect the device, the data and your reputation. I'd say the data on your phone is more valuable than on your desktop computer, partly because it has the more recent information."
Chances are, you’re not going to be at your desktop or laptop at every moment. Set your system to sleep before stepping away, and always require a password to unlock the screen.
Two-factor Authentication: If you subscribe to and read our blog, you’re likely familiar with Two-Factor Authentication (2FA) and our strong endorsement of this security measure. 2FA is one of your best protections you can activate for any application that supports it. If you haven’t already, remember to enable Two-Factor authentication on Trackops today!
Know how to remote wipe your devices: Both Apple and Android have the ability to wipe their respective devices. Remote wiping allows a network administrator or device owner the ability to remotely send a command that will delete all data from your device. Should you lose your device and aren’t able to recover it, you can wipe it right away to alleviate any doubt.
For larger companies, it may be worthwhile to invest in Mobile Device Management software (available for both iOS and Android). Regardless of if you issue mobile devices to your staff or if they bring their own, it is important to know what, when and how employees access sensitive data. When implementing remote wipe as a part of your policy, be sure that staff is educated on the issues, and they know exactly when this process should be used and why. Finally, require device users to read and agree to your remote wipe policy.
If your staff brings their own mobile devices to work, a Bring Your Own Device (BYOD) policy should be implemented to compliment your data management policy. This policy may include software that manages devices that connect to your network, an outline of the responsibilities of employee and employer, and an agreement. There are a number of policy templates and kits that provide valuable information and will help you get started, but remember that they should be considered guidelines as each organization has specifics needs that blanket templates may not address.
Conducting business and sharing information via mobile devices is growing at a record pace, and it’s only accelerating. Because of this, it’s inevitable that these very same devices will continue to be lost, stolen, or otherwise compromised at a record pace as well. Having a plan in place that educates employees on how to protect themselves in the mobile workplace, and how to deal with situations when devices go missing is your best line of defense. We want you to be safe, savvy, and successful, so implement a comprehensive mobile risk management plan today, and be on your way to better data protection!