One of the more ubiquitous devices of the modern era is the smartphone. We can do nearly everything with it, and as such it has played a large part in the blurring of the lines between work and life. While this effect may be good for businesses, many of these devices are unsecured, which can lead to problems, especially if the unsecured data includes sensitive company information. One way to secure mobile devices is through the use of encryption.
Encryption is not a new concept. It has probably been used ever since humans began communicating. In layman’s terms, encryption is the conversion of data into a form that cannot be easily understood by unauthorized persons. Encrypted data is commonly referred to as a ciphertext, or more commonly a cipher. Some will call it a code, as codes follow the same basic idea, but this isn’t entirely accurate since codes such as binary code, Morse code, etc., are not meant to be secure, and can be understood by other people.
When data is encrypted it can be sent to recipients using normal transmission methods like the Internet or data connections. Upon receipt the encrypted data needs to be “decrypted,” or reverted back to normal data. Decryption on mobile devices, as well as most computerized devices, is done using a key. This key is an algorithm that can understand both the encrypted and normal data. It takes the encrypted data and essentially translates it to a form of data with which humans can read or interact.
Businesses and organizations go to great lengths to ensure their data is encrypted when stored within their network, and when it is shared, whether within the network or with trusted recipients outside the network. In a perfect world, all of your connection points – devices that connect to the network – would be secure. In the real world, employees using unencrypted mobile devices to store data or access company systems pose a big risk.
Take for example the CEO checking his work email on his own iDevice. Any emails sent between the company’s email server and the phone’s email program will usually be encrypted. However, when an attachment is opened with confidential news about an upcoming merger, a copy is usually downloaded onto the phone’s memory. If the user hasn’t taken steps to encrypt the mobile device’s memory and the phone is lost, then someone picking up the phone could turn it on and see this information. If this person understood the information, they could create a ton of trouble for any companies involved.
Another scenario, one that we are seeing more often, is where a company’s accountant has visited one of the increasingly common “drive-by-malware” sites, and malware has been installed on his unencrypted phone. The accountant might open work emails and download next quarter’s financial projections, along with a document containing the password to a newly reset work account. The phone’s memory is unencrypted, so the hacker who monitors the malware can come along and grab that information. Now, not only does the hacker have access to the network via the password, they also have confidential financial data for which a competitor would likely pay a handsome sum.
While these situations may seem extreme, they can and have occurred. The risks can be minimized however. While the obvious answer to problems like this is to simply bar employees from accessing work systems from mobile devices, this solution runs counter to the way most people work, and will likely be largely ignored by nearly everyone (including the CEO).
The best solution lies in a mixture of different approaches, all centered around a solid mobile device usage plan. You should take steps to first figure out when your employees access office systems using a mobile device, why they are doing what they are doing, and what are they accessing. From there it’s a good idea to look into security options. Vendors like Providence can help you with this step. It’s also beneficial to establish a use policy that dictates when devices can and can’t be used. Lastly, utilizing apps to encrypt memory on phones will help. At the very least, it’s a good idea to encourage your employees to use a password lock on their phone.
Mobile device encryption should be an important part of your company’s security plan. If you’d like to learn more, or implement a security system, we may have a solution that meets your needs.