Safety Dance: Securing Your Smartphone
Today’s smartphones are millions of times more powerful than the Apollo 11 guidance computers. While they still can’t take us to the moon, these small but mighty computers give us the world of work (and play) in our pockets. How can you apply protections to ensure that your device is properly secured against exposure of confidential client and personal information? Read on to follow a checklist of options to increase protection without affecting usability.
Lockscreens and Encryption
According to the Breach Level Index, only 4% of breaches were “secure breaches” where encryption was used and the stolen data was rendered useless. All mobile devices should have encryption enabled to protect data on the installed drive or storage. So, how do you do that?
On iPhones and iPads you should set up a passcode (6 digits or longer) and make sure that “data protection enabled” is turned on in the settings. New to iOS 16 is a passkey, a passwordless entry into your phone that requires two factors – a biometric identifier and a key stored on the device. On Android phones and tablets enable a PIN to access the phone’s features through the screen lock. On older versions of Android, you will then need to go into the security settings to enable encryption.
It is worth noting that you should upgrade your phone and install the latest operating system version, as additional security enhancements are included. Older phones often cannot support updated mobile operating systems, thus can’t be patched and adequately secured.
Commercial encryption software from Symantec, VeraCrypt (all operating systems), or DiskUtility for Mac have encryption tools for any device.
On your phone’s lockscreen, despite the ability to add notifications, resist the urge as you will potentially expose confidential information to anyone who picks up your smartphone.
Remote Wiping and Mobile Device Management
Do you know how to remotely wipe the drive of a mobile device if it is lost or stolen? IT departments can help deploy Mobile Device Management. Law firms using Microsoft Office 365 Business Premium and other Enterprise level subscriptions can also enable Mobile Device Management, which includes multi-factor authentication, device security policies and remotely wiping selective data from a firm approved device.
For solos and small firms without IT help individual lawyers can take steps to enable remote wiping of data. On an iPhone or iPad enable “Find My Phone”. If you lose your phone just log into iCloud.com and you can try to use the phone’s built-in GPS location to ping the phone and show the location on a map. You can also erase the phone’s data. Your GPS does not have to be on, this will turn on the GPS on the phone.
Similarly, on Android devices go into your Google account in any browser to the “Find My Device” section. Select your device and then you can sign out of your phone, lock your phone, locate it or erase the data. You can also add a lock screen message like “Please Return this Phone. Contact me at ### ### ### (and don’t put in the name of your law firm!).
Third party applications like Lookout Mobile have similar features, plus anti-virus, safe browsing, privacy advisor, backup, and more for $30 per year.
Backup
An additional aspect to consider is whether your phone is properly backed up. The prospect of remotely wiping your device isn’t daunting if you know that your data is backed up to the cloud. In fact, if you are using your phone to access data, rather than store data you are more likely to wipe your phone, rather than hope it shows up and risk exposure of firm or personal information. If your phone isn’t presently backed up, explore options to back up text messages, voicemails, files and photos.
Two Factor Authentication
If you use text messaging as the second factor for two factor authentication or an app on your phone and you lose it, things could get difficult. Make sure you have set up alternative access options ahead of time, like backup codes or a secondary number.
Also, for online services that are linked to a device, including LinkedIn, Facebook, Twitter, Google, iCloud and others log on from a browser, go into your settings and “forget” the lost or stolen device.
Smart Phone Apps
Apps on your smartphone and your laptop may be sharing more than you want to about your conversations, location, contacts, camera, files and almost anything else. How? Well, often when you install apps, a screen notifies you that the app needs permission to access certain functions/files on your device to work. In many cases that is true — but they may not tell you that additionally those apps are sharing information with third parties. You should do at least an annual check of the apps you are using and the permissions you have given them. You may decide to uninstall them or may be able to disable certain permissions unless you need them.
- This Wired article has a great step-by-step guide for iPhone, Android, Windows and MacOS to check permissions and disable them.
- Lifehacker also has a step-by-step guide on shutting down location tracking (and the implications).
- Turn off NFC (Near Field Communication), GPS, and Bluetooth unless you are actively using them. This also helps with battery life!
Updates
It bears repeating – don’t neglect to update the mobile operating system on tablets and phones, as well as the apps you have installed on them. If you are ever presented with an update that you question just copy the text of the message and search it in Google to see if it is legitimate. If you choose to keep a phone for a long time be aware sometimes the new, patched updates of the mobile operating system will not be supported on older devices.
Wifi
Do you use free wifi on your laptop, phone or tablet? Do you also use that device to store and transmit client confidential information? Free or even limited access wifi (like coffee shops that issue the same password to everyone) are notoriously insecure because of the real risk of interception or the creation of “man in the middle” networks created to ensnare those looking for the fastest, cheapest wifi.
There are a few easy ways to protect your client data. You can use your smartphone to provide a wifi signal, either by tethering it to another device or turning on the phone’s hotspot. You can get a mifi card for internet access from your mobile carrier. Or you can subscribe to a mobile VPN (Virtual Private Network). Just don’t be tempted to use free wifi, even if it “just to check personal email” on a device you also do client work on.
Get a Password Manager
Staying logged in to an app on your smartphone is risky if you lose your phone. Stay logged out and get the password manager app for your phone and use it to log into your accounts. Again, you will need to remember the login for your password manager!
Who is Listening?
Your smartphone likely comes with a built-in voice-activated assistant. On Android, there is the Google Assistant. On some Samsung models, you may also have Bixby. On iOS there is Siri. It is likely you also have apps that you have given permission to use your smartphone’s camera and microphone.
This article from VentureBeat provides instructions on how to turn off the voice recording and collection in Google Assistant, Siri, Samsung Bixby, and more.
To find and disable apps you have given permission to access your smartphone’s microphone and camera follow the instructions for Android and iOS from Wired.
Device Disposal
When you are getting rid of an old smartphone it is important to wipe the drive before recycling, re-purposing or gifting it. Wired has an excellent tutorial on how to clean up old devices, which may include completely destroying it if the information on the drive is of a very sensitive nature. For iPhones and iPads you can Erase All Content and Settings and for Android you can Reset the device and then “erase everything”.
Conclusion
With great power comes great responsibility. Your smartphone may not yet launch the next rocketship to the moon, but it does hold a tremendous amount of information that, if exposed, could have negative repercussions for you and your client.