Prevent Phone Hacking with These Best Practices

[fa icon="calendar"] May 25, 2016 8:23:33 AM / by Allen Bernard

phone-hack.jpg

While the recent 60 Minutes story talking about how easy it is for hackers to listen in on your conversations, track your movements, and read your text messages, has reignited people's concerns about privacy, for the average person, the exploit used to listen to Congressman Ted Lieu's conversation (the Signaling System No. 7 (SS7) cell phone network hack) is really a minor concern. Unless you are someone in a position of power or influence, this direct hack on your personal conversations would not be worth the time or effort it would take to launch.

What this exploit does do, however, is highlight the need, once again, for companies to revisit cell phone security best practices. Given that smartphones are now defacto corporate network endpoints – regardless of whether they are sanctioned by IT or not – it is a good idea to help the rank and file of your organization protect the sanctity of their devices.

There is a treasure trove of data and network access to be gained by going after almost any employee's device. Combined with pervasive and liberal bring-your-own-device (BYOD) policies, suddenly smart phone security takes on a new urgency. So, while there isn't much you can do about the SS7 vulnerability (which has been known about since 2014 – but that's another story), there is still plenty you can do to protect your network edge:

For secure texting use encrypted messaging services like Apple’s iMessage or Facebook’s WhatsApp. Some of these services like WhatsApp will also allow voice calls. Skype also works to avoid SS7. Check out commercial and open source voice encryption solutions like Silent Circle and the Signal app respectively.

Make sure IT installs a mobile device management (MDM) platform so they can, among other things, track whose device is in use on the corporate network, as well as make sure the device is in compliance with corporate usage policies. It's also a good idea to make sure employees are using anti-virus on their Android phones.

Keep instructing your employees on the basics such as: avoiding suspicious third-party applications, clicking on unsolicited links in text messages, locking their phones when not in use, avoiding public and hotel Wi-Fi (If you must log in to public Wi-Fi use a VPN service when traveling), etc.  

"You could walk through a crowded coffee shop or airport lounge and pick up half a dozen smartphones that don't have a screen lock, or are not encrypted and have access to their corporate data, email apps and [virtual private network] clients," said Doug Grosfield, president and CEO of Five Nines IT Solutions, speaking to TechTarget. "Many people are still failing to protect their devices by leaving the door wide open."

It's also good practice to let key people know that they may be targeted, in a practice called "whaling", for ongoing phishing scams because of their position in the company.

There is good news, however. While common, mobile phone hacking is not nearly as prevalent as the headlines may suggest. According Verizon's 2016 Data Breach Investigations Report, while "new" technologies like mobile and the Internet of Things (IoT) will undoubtedly give hackers new attack vectors there has not been "a significant volume of incidents involving mobile or IoT devices yet."  But, the report does caution that "the threat is certainly real. Proof of concept exploits have been demonstrated and it’s only a matter of time before we see a large scale breach."


 

Read more about the do's and don'ts of mobile security

Download Now

Allen Bernard

Written by Allen Bernard

Allen Bernard is a veteran freelance business and technology writer, former managing editor and entrepreneur. From 2003 -2012 he served as the managing editor of CIOUpdate.com and numerous other technology websites. Since 2000, Allen has written, assigned and edited thousands of articles that focus on intersection of technology and business. As well as content marketing and PR, he now writes for Data Informed.com, CIO.com, the Economist Intelligence Unit, InformationWeek and other high-quality publications. His current project is co-authoring a book on Technology Business Management for the TBM Council. Originally from the Boston area Allen now calls Columbus, Ohio home. He can be reached at 614-937-2316 or abernie182 @ gmail.com. Please follow him on Twitter at @allen_bernard1, on Google+ or on Linked In.