Brave New World: Understanding Security Risks Around Mobile Devices

Brave-New-World-Understanding-Security-Risks-Around-Mobile-Devices-V3 copy

For this month’s Social Media and Online security column, we’re going to get a bit more techy and talk about hardware. Specifically, this month, I want to focus on the topic of security and devices. Or put another way: I want to cover some of the risks you face using something other than an old-fashioned PC or Mac.

While this topic isn’t social media per se, security issues with the tools you use to access social media have a direct impact on the security of your social media channels and sites. And while we all have a pretty good idea of the risks involved with desktop or laptop computers, we’re still learning about the brave new world of smartphones, tablets, and other devices. As I’ve said before, your ability to secure things is directly related to your understanding of them. By that measure, right now smartphone and tablets are inherently riskier than PCs and Macs because they’re not as well known and so harder for everyone to secure. Indeed, as I’ll talk about later, we’re now witnessing an explosion of security issues in the world of mobile devices now, as attackers capitalize on the advantages these new platforms confer on them.

And mobile device security is important for social media because the tie between social media and devices is such a strong one. I would argue that the answer to the question “What are you doing” really only becomes interesting when what you’re not always sitting as your desk as you’re answering the question. Twitter, Facebook and other social channels really took off only after people started using their smartphones with these applications.

One particular challenge with smartphones and tablets is since we use them to interact with apps and websites that are already familiar from our computer usage, it’s easy to assume that  the security risks we face are the same and thus we know what we’re doing. And while there are definitely areas of overlap between devices and computers from a security point of view, it’s wrong to see them as identical. Devices introduce some new areas of risk which you have to account for that you would never think of when dealing with desktop computers in particular.

There are four major areas where you need to think about new or different security risks in regards to mobile devices.

  • Human Error
  • Device Portability and Loss
  • Co-mingled Data and Accounts
  • Viruses and Malware

Let’s go through and talk about how each of these, how they are different from what you may be familiar with on PCs and Macs, and things you can and should do to help protect yourself.

Human Error: As I said last month, human error represents the greatest ongoing threat to security. And as I’ve alluded earlier here, introducing something new and unfamiliar only exacerbates those risks. When looking at smartphones and tablets in particular, these risks are made even greater because we’re talking about physical devices that have more limited displays and capabilities than computers.

This means there’s less “real estate” for user interface developers to utilize and less storage for online help and tutorials. Taken together, those all mean that you’re using a new device and platform that has less robust visual cues and less guidance and help. In a phrase, as anyone who’s looked at a ringing smartphone and been unable to actually answer it knows: you’re on your own.

The most important thing you can do with this risk is to be aware of it. When you are lost and frustrated, be mindful from that of the fact that you are learning something new and that there are risks inherent there. Take your time, go slowly, be conservative, and most of all, plan for the possibility of failure. Don’t start posting to your official corporate Twitter account from your new iPhone the first day you get it. Figure out how to use your personal Twitter account safely and competently, then graduate to the higher profile and higher risk activities.

Device Portability and Loss: This is perhaps the most obvious difference between mobile devices and desktop computers. But its obviousness often blinds us to this risk and accounting for it. As Apple has learned not once, but twice, mobile devices can easily get lost. But where losing your cell phone a few years ago was just annoying and costly, now it qualifies as a security and privacy incident. It’s not just the information that’s on your device that you have to worry about (though sometimes that alone should be plenty to worry about).

All of the apps that you’ve downloaded and configured almost certainly gives the holder of that device immediate, direct access to everything you access with that device. No one in their right mind is going to enter their Twitter password every time they bring it up (especially not on a near-impossible to use keyboard on your phone): that information is saved in the device. That in turn means that the security barrier for those accounts is not the password, it’s possession of and access to the device itself.

The options for what you can do to help protect here are pretty limited. This is another area where the newness of the technology opens up risk areas. Most devices support some kind of screen lock with some kind of pin or password required to use the device. Those can definitely provide some protection but you shouldn’t view that as foolproof: four digit pins can be cracked with some effort. Particularly for a determined attacker, that PIN is little more than an annoyance. And too, screen locks can be so cumbersome to your usage of the devices that many people don’t use them.

Some devices support what’s called “remote wiping”: this is the ability to send a command to a lost device to delete all the information on that. There are also apps available that can do this for devices that don’t have that capability. This is something that you should look into for all your devices.

Further, one of the best things you can do is to be aware of this risk and plan for failure. Treating your smartphone like it has valuable data on it (it does) rather than like a cheap piece of consumer electronics (it isn’t) is a big step in the right direction. Exercising caution and being aware of where you devices are at all times can go a long way to help.

Finally, be ready to quickly change your passwords and regain control of your social media channel if you lose your device. My column “Recovering from the Worst: What to Do When Your Social Media Channel is Hijacked” can provide good tips in this regard.

Co-mingled Data and Accounts: One particular challenge that smartphones and tablets present is an unprecedented co-mingling of personal and professional data and accounts. Many of us have a work computer and a home computer which makes it easy to keep personal and professional data and accounts separate from one another by being on separate machines.

Very few of us have a work smartphone or tablet and a personal smartphone or tablet. From an apps point of view too, you very likely have a single Twitter app on your device, for instance, and have to mingle your personal and professional handles in that one app. The risks this situation poses is a risk of personal and professional data or actions getting mixed up leading to inappropriate disclosure of information or other problems.

For example, the instances we hear of personal tweets going out to professional handles could well be a result of co-mingled accounts in apps like this. Another example of what could happen is the steamy, flirty email to you girl/boyfriend goes to your manager thanks to the autofill on your phone which has your personal and professional address books on it.

The solution here is to be aware of this risk and take steps to keep personal and professional data and accounts as separate as possible. Frankly, this is not easy right now (though the new Microsoft Surface does provide different user accounts which could be used to create a personal and a professional account on your device). Consider using different apps for different accounts (e.g. use the Twitter app for your personal accounts and HootSuite for your professional ones). Most of all, check and double check that you’re actually speaking from the right account.

Viruses and Malware: This category differs from the others insofar as this IS a risk that we are familiar with from computers. The challenge here is that most people think of this risk as ONLY being a risk that computers face. The fact is that viruses and malware on devices is exploding. Trend Micro recently announced that they’ve identified over 175,000 different pieces of malware and aggressive adware on Android devices. The word in the security space is that in terms of viruses and malware, Android is starting to look like Microsoft Windows did about 10 years ago with lots of danger and not a lot of protection.

This problem is the easiest of our issues to address. Where possible you should run security software on your devices. At this time, there are no antivirus/antimalware solutions for iOS devices (iPhone and iPad): Apple won’t allow them. But there are a number of products available for Android and you should definitely protect Android devices with security software.

As time passes and we all understand mobile devices better, we can expect security to improve and threats to lessen. But the future of mobile devices is one that will include security software and security best practices, just like the world of PCs and Macs have today. It’s just going to take time for this all to grow and develop. In the meantime, the most important thing you can do is understand that the world of mobile devices is less mature, rougher, more dangerous and different from what you’re used to with PCs and Macs. Understanding that is a big step forward in better protecting yourself.

About the Author:

Christopher Budd

This monthly Social Media & Online Security column is contributed by Christopher Budd. Christopher works for Trend Micro, an Internet security company, and is an expert on communications, online security, and privacy. Christopher combines a former career as an Internet security engineer with his current career in communications to help people bridge the gap between the technical and communications realms and “make awful news just bad.” Before Trend Micro, he worked as an independent communications consultant and, prior to that, as a ten-year veteran of the security response group at the Microsoft Corporation. +Christopher Budd

Christopher Budd
This monthly Social Media & Online Security column is contributed by Christopher Budd. Christopher works for Trend Micro, an Internet security company, and is an expert on communications, online security, and privacy. Christopher combines a former career as an Internet security engineer with his current career in communications to help people bridge the gap between the technical and communications realms and “make awful news just bad.” Before Trend Micro, he worked as an independent communications consultant and, prior to that, as a ten-year veteran of the security response group at the Microsoft Corporation. +Christopher Budd
Christopher Budd
#smss2014

Trackbacks

Please Leave a Comment!