Smartphone security

Smartphone security – be informed

Smartphone security and the specific risks attached to increased smartphone use have attracted a lot of attention recently. Not only is the technology ever more sophisticated, inter-connected and beyond many people’s ken, but we rely on these phones in business and give them free access to much of what we do.

By sending information back and forth and connecting to myriad accounts and services we concentrate lots of valuable data about ourselves in one easy to intercept location. Here we outline three steps you can take today to minimise your exposure.

Reviewing connected apps & accounts

Do you run social media on your phone, using Twitter, LinkedIn, Instagram, Pinterest, Facebook etc for your business? Five minutes’ use of these platforms will show you that many people automate cross-platform posting so that every Facebook status update is tweeted and every Instagram post pops up on Tumblr  – often with no accompanying information and without any suggestion of why we should want to schlep over to FB or Instagram to see it in its full glory.

There are lots of reasons for not cross-posting (from a content point of view, these platforms have different functions and audiences therefore your FB content isn’t suitable for Twitter and vice versa, and it bores audiences who follow you on several platforms to see the same content on each), but the most significant is that linking your accounts like this dramatically increases your exposure to hacking. If someone gets into one account it’s a short hop to compromise the others.

  • Review your linked accounts and consciously uncouple wherever you can.

Remove apps that sell information

Downloading a free app is always a gamble (and some paid ones are risky too – do your homework before downloading). Consider how the developer is going to monetise that app: it might be advertising, it might be anonymised user data gathering or it might be simply selling on your data, with or without – most likely without – your consent.

Consider this Flashlight case. First of all, what on earth is a torch app doing asking for  access to such a range of data in the first place? It gets worse. To quote the Wired article linked to above:

The FTC has clamped down on another flashlight apps [sic] for doing downloading data for advertisers without informing consumers

Trying to find out precisely what information is being gathered (as opposed to simply the scope the app requests) is very difficult, and that’s in the developers’ interest. As the article goes on to say, there’s really no such thing as a free app.

As well as that article listen to this brief podcast article from The Naked Scientists.

  • Pay attention to the permissions a new app asks for and don’t download it if it’s not essential and you have concerns

Apply software updates

Do you keep on top of your phone’s requests to update apps and software, or do you automate updating? Patches and updates come out in response to changes in external elements that apps use to run (ie not something within the developer’s control), in response to security concerns and calamities, and in order to offer you a better service or user experience.

You should have the option to authorise these updates manually (and change other settings such as downloading updates only over wifi so you don’t hammer your data allowance). Setting update to manual is a good idea if you want to keep close control over updates and have the option to review what they’re asking for. You might be surprised at what’s still lurking on your phone (you can uninstall anything you feel you don’t need any more – do you really need that eBay app these days, the one with your eBay password stored in it?) and what updates are asking to access.

  • Set updates to manual and review them with every update request

 

Security tips to act on today

Security – online and in the office

Security is an ongoing headache for most of us. Each week between now and our talk on security to the Inspire group on 13th May we’ll be delivering three security suggestions you can act on easily and quickly to tighten up computing security within your company.

Security of Public wifi

Going to a friend’s house and logging into their wifi is one thing. Yes you subject yourself to the security your friend may or may not have applied to their connection – ask questions if you need to or if the sensitivity of the data you’re sending requires it (in which case you shouldn’t really be doing it round your mate’s) – but it’s likely to be less risky than the sort of public wifi you can connect to in a café, hotel, hospital or other public space that selflessly provides wifi as a public service.

There are various models for providing free public wifi but be sure that someone somewhere is profiting, and it’s not just because you’ll drink three lattes while you use it. The security of the connection is completely beyond your control for a start. Secondly you have no idea what information the provider is taking as you communicate. Thirdly simply by logging onto that network you show up as an entity – one reason to be careful how you represent yourself.

Don’t click on unsolicited attachments

Don't open unsolicited attachments

Attachments may look genuine but treat them with caution

Attachments – don’t you just love them? Fortunately some scammers are very bad at their jobs and make their dodgy attachments blatantly ones to avoid; others are far more subtle. The subject line and sender’s name can both seem very relevant to current projects, which is disturbing in itself, but nothing compared to what happens if you open the attachment.

Simple rule of thumb: if an unsolicited attachment comes from someone you’ve never heard of, ignore it. if you’re worried it’s something you need, ring the company (via a number you find independently, not the one provided in their nice helpful email) and use lots of judgment and scepticism.

If the attachment is from someone you know but still unsolicited it might be worth a text or call to find out what it is. Even genuine documents can contain viruses, so really be sure it’s worth the risk before you click.

Password protect devices

You know about the obvious things – phones, tablets, PCs. If you haven’t password-protected them do it now. A shape drawn on the screen, a number, a phrase or something more sophisticated such as facial recognition. Whatever your preference, implement some form of protection as a first line of defence.

Where it’s an option, employ a remote wiping utility such as Android Los/ a kill switch. The ubiquity of this sort of app is, so we read, having a huge impact on the number of smartphones stolen with thefts down 40% in London.

Look more closely at other devices you use, particularly infrastructure such as routers and other home network devices. If you can change the password, do. Leaving this sort of device with the factory-set password makes it very vulnerable to exploitation.

Lastly anything you own that can come into the Internet of Things category: CHANGE THE PASSWORD.

Security – three simple steps

Security: complex technical issue or good habits?

Security – online, in the office, out and about – is a major worry for most companies. SMEs in particular can present a tempting opportunity for the bad guys (here’s an article we wrote about that a while ago). Obviously security is both a complex technical issue and a matter of best practice, but the good news is there’s plenty you can do for yourself to improve your computing security.

We’re giving a talk on security to the Inspire business group on Wednesday 13th May.  Ahead of that talk we’re presenting three simple security measures you can act on today. They’re free and require no technical expertise whatsoever, but are more about developing good habits.

Log out of services to increase security

Log in – log out. Simples.

Log out and step away
Do you routinely leave services logged-in? Logging out of online services in particular when you’ve finished with them will minimise your exposure. Log out of LinkedIn, webmail (eg Hotmail, Yahoo and any other email account that you access through a browser), Twitter, Facebook etc when you aren’t using them. Tread with care as some accounts need to be logged in to provide background functions, but get into the habit of logging out of anything that you just don’t need running in the background.

Turn off wifi
Your smartphone leaks data constantly when you’re out and about (that’s a whole other blog post). If you’d rather preserve a modicum of privacy and don’t particularly need constant updates on the journey home, in the supermarket or in the playground, get into the habit of flicking off wifi when you travel. For greater privacy activate airplane mode, but do that only if you’re sure you can go incommunicado without causing a furore.

Don’t re-use passwords
So obvious, isn’t it? But a lot of people do it and massively jeopardise their security. Think of the logic: if a cracker gains access to your Facebook account, they’re going to run the same password through your banking access, your email and any other accounts they can find. Don’t hand it to them on a plate.