Attackers don’t care whether a mobile phone is privately owned or company property. All they want is the data. Every day, cyber criminals sneak in through unlocked doors and security gaps – and steal company data from mobile devices. Germany’s digital association Bitkom reports that seven out of ten German companies have fallen victim to sabotage, data theft or espionage within the last two years. And these attacks have wreaked damage to a total cost of €43 billion. Around half of all the companies in the survey were victims of digital attacks, in the course of which confidential digital data was stolen and information systems, production systems and company processes were sabotaged. Other attacks involved digital social engineering and spying on digital communication (emails and messenger services).
So how can you protect your company against future attacks? We’ve drawn up a list of five measures that companies can take to protect company data on employee smartphones and tablets.
1. Protect your data by creating separate spheres
Business shouldn’t mix with pleasure. Not even on a smartphone. Company affairs should be strictly separated from all other apps on a mobile device. Non-business apps must not be permitted to access company data. For example, WhatsApp should not be able to extract contact details from the company database. Why not? Because WhatsApp – like so many other messenger services – doesn’t comply with the GDPR. And nor is it clear what happens to the data WhatsApp collects. Naturally, there are apps in various fields which promise conformity with the GDPR. But an incredible 67% of all verified Android apps quietly and unobtrusively relay data. So it’s not worth taking the risk.
2. Protect your data via encryption – AES-256, S/MIME and E2EE
Encryption is probably one of the best known methods for securing data and is used for a wide range of purposes. If you keep any confidential information on your smartphone or tablet, it should always be encrypted. In addition, any data which is transferred from a mobile device to a company network or vice versa should be sent via encrypted channels – because the company network is only ever as safe as the devices to which it is connected. If you have the option, you should always encrypt your emails (end-to-end encryption) and use a digital signature. The encryption will ensure the email cannot be read by an attacker, and the digital signature will allow the recipient to verify not only the author, but also that the content has not been changed en route.
The current standards for encrypting data and emails are AES-256 (data encryption) and S/MIME (email correspondence). These have been rigorously tested and are used worldwide. Our SecurePIM container app also complies with these standards (which is one of the reasons for our BSI certification). Let’s take a brief look at the meaning of the respective abbreviations – which are cryptic enough in themselves.
AES stands for Advanced Encryption Standard and uses a symmetric encryption technique. In this context, ‘symmetric’ means the same key is used to encrypt and decrypt data. ‘256’ refers to the length of the key, which is 256 bits in this instance.
S/MIME is the most commonly used method for encrypting emails. Unlike AES-256, S/MIME uses asymmetric encryption. This means that two different keys are used for encryption and decryption, and for the digital signature. One is a ‘public key’ and one is a ‘private key’.
E2EE (end-to-end encryption)
Another term you’ll often hear in connection with effective methods for increasing data security on a smartphone or other mobile device is ‘end-to-end encryption’, sometimes abbreviated to E2EE.
End-to-end encryption means that only the sender and the recipient can read the respective email. The sender encrypts the data, and the recipient decrypts it.
Summary of encryption methods
Data is far more secure on employee smartphones and tablets if it is encrypted. There are tried and tested standards for this purpose, and these are compatible with most technology. When you select tools, you should always pay attention to which encryption methods are used.
3. Set barriers in place: data protection via access controls
Encryption is a must when it comes to ensuring data is transferred or stored securely on a mobile device. But there are other areas which also need protection. Because no matter how secure your email communication is, it won’t help you if someone gains access to your device. Experts recommend you use a PIN, password, face ID or touch ID to protect access to your smartphone or tablet (or if not to the whole device, then at least to the company data areas which connect with your company IT). If an even higher level of security is required, you can use a smartcard. Digital certificates (keys) can be stored on these cards. They are available not only in combination with Bluetooth readers (Android and iOS) but also as Micro SD cards, which means you can easily place them in the respective slot of the smartphone or tablet (Android only).
4. Remove barriers: UX design
Company IT and data security issues have many points of contact. There are dedicated solutions for virtually each and every one of these, and each is like a puzzle piece which enhances your overall data security a little more. But multiple solutions have distinct disadvantages. In most cases, employees have to actively use them and manage them, or at least understand them. In addition, they have to be compatible. In general, it’s safe to assume that employees will only use a solution regularly if it’s more or less intuitive. And if they don’t use it, you can easily end up with a shadow IT where confidential information and company data are processed in an insecure environment. Basically, you need to make sure all features and security precautions are designed in such a way as to not place any restrictions on your employees’ freedom. This is where User Experience Design (UX Design) comes into play. UX design can make an important contribution to data security on employee smartphones.
5. Maintain control over the device
One of the greatest risks for data security on smartphones, tablets and other mobile devices is inherent to the very nature of such devices. They’re mobile. And like all movable commodities, they can get lost or stolen. In such cases, IT needs some way of deleting company data remotely. This, of course, is relatively easy to do on one level. Both iOS and Android include a function to erase all content and settings. But what if the phone belongs to the employee and they don’t want everything to be wiped? Or if they leave the company? Would your IT department still have complete access and control to company data on the employee’s phone? The answer, of course, is no. The best way to solve this problem is by creating a separate area on the smartphone or tablet, and making sure your IT department has unrestricted access (any time, anywhere) to this area. This is known as a container solution.
Container solutions for smartphones and tablets – data security thanks to SecurePIM
There are a host of applications which will achieve the desired effect for single points from the above list. But the more measures you deploy to protect your employees’ mobile devices, the more resources you need in your IT department to administer the various applications. Each device needs to be configured accordingly, onboarding/offboarding becomes complicated, and if a phone or tablet is lost (or simply mislaid!), data security is immediately compromised because IT only has restricted access to the device in question.
SecurePIM is a container app which ticks each and every box in the above list. Available for iOS and Android from standard app stores, the app creates its own infrastructure inside the user’s device and keeps it strictly separate from the original environment. Your company IT department can be connected as a client and given full control over the data inside the container app. As a result, your employees can use their phones for business or pleasure just as they like – and neither you nor they need worry about data security being compromised. To top it all, SecurePIM is easy to administer and requires little input from IT.