SMARTPHONE SECURITY: TEN EVERYDAY RULES

Terms such as MITM and P2P rarely mean anything to the typical C-suite user of a smartphone. Indeed, for our clients, a few basic rules seem to have sufficed to ward off commonplace risks, while leaving cyber pros to do the heavy lifting. The Ten Rules below aim at the former.

1. Treat your phone like an expensive car. Drive and park it carefully (physical security). Ensure the key (password) is safe. An unattended phone is akin to leaving the keys in the ignition of an unlocked car.
2. Separate business from personal telephony. Use different phones for home and for work. This achieves two things: it reduces the risk of identity theft, which is enhanced by the coupling of personal and professional data, as well as spear-phishing (cooking up a convincing storyboard with elements of both personal and professional data to fill in credibility gaps). Use the personal phone for all leisure/lifestyle/entertainment apps. Though the malware problem is far more pervasive in Android or Windows systems, even the Apple iOS has shown vulnerabilities.
3. Do not leave your phone unattended, or allow it to be used by anybody else – even a colleague. Transferring a 'spy' app, to give details of texts, calls etc. - and use your phone as a listening device/transmitter, can take seconds.
4. Require a (typically) 4-digit passcode for activating (at least the business) phone after a period of idle time. Make this required in the shortest possible period (we advise 30 seconds). This is a first line of defence against theft. It gives the user of a stolen phone time to set in place other measures. In addition, most smartphones lock up and disable after a certain number of failed attempts. Carrying on from this, do not consider the screen passcode any less important than the SIM card code. Someone, with plans for stealing your phone and data, could be watching.
5. Avoid using 'free', open WiFi. In hotels, make sure that a (paid or allocated) WiFi connection is secure. A good way to check is to 'lose' the first allotted password and see if the second is the same. If it is, security is a joke. Even if it is not, open WiFi can be listened into very easily. When you must, use Whatsapp for sensitive communications via your business phone.
6. Do not open email attachments or links – even from 'trusted' sources, in WhatsApp. Indeed, these are best forwarded for viewing via a (secure) laptop. Such measures are still far more robust on a PC than in a phone.
7. Archive and transfer information to a dumb device such as an offline mass storage drive at regular intervals – e.g once a week. Find a good mood moment to do this – e.g over a coffee on Sunday. Such an exercise may even enhance productivity.
8. Have your office IT staff or an external security professional scan your phone for bugs once a month. On your part, look out for the clearest sign of a spy program – high levels of battery use.
9. Acquire and use cheap disposable phones and prepaid SIM cards for one-to-one communications with a specific person in a high-risk situation – e.g a security professional. Though most (but not all) authorities require ID for issuing a SIM card, users ought to be less concerned about a government listening in, rather than a competitor or worse.
10. Enable the Operating System update for a phone. This provides the most recent security environment