Ask The Cyber Security Expert: Are smartphones and tablets secure?

14:23 22 October in Cyber security

The Cyber Security Expert is often asked about mobile phones. Are they secure? Should I let staff use them? Why am I stuck on Angry Birds?

Apple vs Android

I’m going to be upfront and admit I recommend Apple. I appreciate for many this is an idealogical issue and they will violently disagree. Thats fine. I have no problem with Android, its a fine operating system and can undoubtedly be every bit as secure as iOS. However, for the average Joe user, and certainly for a small company deciding on what sort of devices they should get for staff then I think iOS makes more sense (obviously, Blackberry is probably still the best option if you can get your staff to use it).

So iOS for two reasons. Firstly your average user is much less likely to download and install a game that is also a key logger and which steals your bank details when using iOS. I appreciate this is down to Apple’s paranoid, wall garden stance and super strict vetting on Apps in their App Store and that this is something many people hate. Never the less, you can download with more confidence from the App store.

Secondly, Apple has a good track record of pushing updates out to a broad range of supported platforms, meaning you will get security fixes. Now I appreciate that security issues get fixed in Android too, but it is a hugely broad ecosystem, which has been tailored for many devices. You are to an extent at the mercy of your service provider as to when (or if) you will get the latest updates for your phone operating system.

Obviously, for the really paranoid the fact you can’t take the battery out of an iPhone is a big no no. Fair enough. This article is not really aimed at you! (though do get in touch if you want to discuss).

Should I let my staff use their own phones/tablets for work email?

Good question. I’d say the answer is; it depends. How paranoid are you with your data? Do you use lots of cloud services, and a range of different devices and platforms in the work environment? Do share via email sensitive customer details, or intellectual property?

In general, in this world of bring your own device (BYOD acronym fans) you are probably going to end up in the position of having to let people use their own kit, especially if you’re a small company. So you have a couple of options.

Option 1: Use something like Good Technology (other providers are available. This is not an  endorsement other than to note Good have been round for a while and are widely used). This sort of technology lets users get email (and other work related info such as documents, depending on how far you as a company want to go down the BYOD path) through a special App. It keeps all the downloaded data in an encrypted container on the mobile device, and the corporate you gets to retain some control – you can allow and disallow certain access, remotely disable and wipe the data (note: it just wipes the App, and not the whole device).

Option 2: Let people connect directly to your email servers using whatever email client is on their device. This can work. Modern tablets and phones provide a reasonable level of protection for data (providing they are set up correctly – more below). Make sure users have a strong password, and that you enforce the use of encryption for the email connections (how you do this will depend on how you are hosting your email – Apple has good guidance on its website for setting up email with a variety of providers and mail services).

So we’re BYODing. Any advice for my users?

Yes. Whatever device is being used, make sure it has a passcode enabled. A simple one is fine, but just something that will prevent anyone picking it up and rummaging through. Also restrict the number of attempts you have to get it right – iOS lets you set 10 goes with a simple password and then it wipes the device. Even very drunk you are unlikely to get a 4 digit pin wrong 10 times in a row. If you do it probably stopped you texting something you’d later regret anyway.

If the device supports remote wipe, enable it. Both Android and iPhone now do this out of the box. Make sure if anyone loses their phone or tablet which is used for work email, they report it to you. Get them to remote wipe it. If you have Good (or similar) you can wipe the work data and block access. You should also change email passwords if any devices are lost.

Why am I stuck on Angry Birds?

Just cheat and look at a walkthrough of the level on YouTube.

The Cyber Security Expert