Who's Watching logo

Hot Topics

  • Mobile Data Security
  • Phishing Scams
  • Social Networking Sites

Other Stuff

  • Your Password
  • Viruses
  • Firewalls
  • Spyware & Adware
  • Your Paper Documents
  • Shopping Safely Online
  • Kids’ Safety Online
  • Identity Theft Recovery
  • Glossary
  • Cyber Security Tips

Additional
Tips & Info on Mobile Computing Security

  • Check out this 1-minute video on how easy it is for your identity to be compromised when using publicly accessible wireless, like at a coffee shop
link to www.staysafeonline.org
  • Events
  • Topics
  • Resources
  • Tips
  • Press
  • About

Mobile Data Security

Protect yourself, even when on the go

Sponsors

We gratefully acknowledge the generous contributions and support from our sponsors. The “Who’s Watching?” campaign owes a debt of gratitude to these companies for furthering the cause of cyber security awareness in our community. We thank them knowing that our efforts would not be complete without their support.

Current sponsors:

IBM logo

SANS logo

Identity Finder logo

Past sponsors:

Dell

Apple

Embarq

Office Depot

PrintSource

Phishing poster from Indiana University

Copyright Trustees of Indiana University, 2006

Laptops, cell phones, iPhones, Blackberrys, PDAs, USB drives (known as “thumb” or “flash” drives), and other small devices can conveniently store data outside your work environment. But portability has a downside: it may lead to unintended data disclosure.

Such devices are easily stolen, and theft of mobile computing devices is on the rise. In fact, in most cases, the data is even more valuable than the property. Many thieves now admit to stealing computers and pricey mobile devices not for the machine itself, but for the information stored on it.

So, securing these devices—and having a record of any sensitive or legally protected data1 that is stored on them—is of vital importance.

Tips to secure mobile devices like laptops, smartphones, & handhelds

  • Be smart. Don’t let your mobile device out of your sight, and don’t be showy with your equipment. Your new iPhone is definitely cool, but you don’t want to advertise that you have one, or you may attract the attention of someone who wants to steal it. Carrying your gadgets and laptop as inconspicuously as possible is a good idea.
  • Label your property. Labeling reduces the theft value of the equipment, since it’s extra work for the thief to remove the labels. Also, you can purchase a brand that will imprint your logo into the case of the device. (Check with the manufacturer before branding equipment.)
  • Use security products. You can increase the physical security of your device by investing in a cable lock, beaconing software, lock boxes, or BIOS settings. Any of these can greatly improve physical security and deter theft. Even a password required at login helps...
  • Use the hard drive password setting on your laptop. It provides good security, but is also the most unforgiving if a password is lost. If you do set the hard drive password, you are advised to store it in a safe place (which is not on the laptop or in the laptop case!).

Tips to secure the data on mobile devices & smartphones

Think of the sensitive and legally protected data like a book you check out from the library. When you return to the office, securely delete it from the device. Some guidelines to help you secure this “borrowed” property and safely “return” it:

  • Consider your real needs. Look at the data you have stored on your laptop or PDA, and ask yourself whether you really need to have this sensitive data stored on the device, or whether you could remove certain aspects of it to be safer. Some questions to help you determine your real needs—whether you have sensitive data, and whether you really need to:
    • Do you have old personnel files or employee evaluations that can be deleted?
    • Have you collected Social Security Numbers as identifiers for some computer applications?
    • Do you have a file with credit card numbers from previous clients or users?
    • Have you saved tax ID numbers from previous sales or invoices?
    • Do you collect birthdates along with names for any reason?
    • Did you answer “yes” to any of these? If you did, consider whether you have a legitimate business need for this information, and if you do, whether you really need to store this data on a mobile device:
      • If you are not going to a remote site where you need to present the sensitive data, chances are that you don’t really need it.
        Consider deleting the sensitive information or de-identifying the data—e.g., deleting the names from the record sets.
      • If you do have a legitimate business need for sensitive data on your mobile device, consider some ways you could make this data safer:
        • Could you access it on a server versus storing it on the local hard drive?
        • Could you remove elements of the data that render it harmless if it were to be unintentionally disclosed? (For example, Social Security numbers by themselves pose no threat. However, if coupled with names in a file, they can prove to be injurious.)
        • Could you improve the physical security of the device by locking it down?
        • Could you encrypt the data? (With a good password on your Windows machine, management of encryption in various Office applications is not hard. You can also use the built-in encryption technologies of either removable hard drives, or those built in to your system.)
  • Make a trusty backup. No matter what else you do, make sure that you have a backup of any data that you value. Should you lose the device, you will greatly prize it, since it will not only ensure that you will still have access to the information, but will also help you identify exactly what sensitive information a thief may be able to access, so you can do damage control. It also helps to keep your backup in a different location (e.g., in your suitcase instead of your laptop bag, or in a drawer instead of on your person), safeguarding your data even if your laptop or gadget is stolen.
  • Ensure you’re only carrying the data you think you are. It’s a good idea to look in your most frequently used folders, and your “Temp” folder, and purge any unneeded files, every week or two.
  • Use encryption or a Virtual Private Network (VPN). These can dramatically increase your security. Encryption offers protection by scrambling the data so only the owner of the key can read the data. A VPN scrambles the data as it is being transmitted back and forth between your mobile device and a server. Note that file and hard drive encryption mean that the data is stored on your mobile device, whereas with a VPN, the data is on a remote server. On the whole, it is better to leave the data on a server that is managed by a system administrator and use a VPN than to take the data with you and encrypt it on the device.

Tips to ensure a secure Internet connection everywhere—including at home

Taking all the care in the world with the security of your mobile devices won’t matter if you connect them using low-security Internet connections such as public, unesecured wireless. Don’t sabotage your efforts to protect your property and sensitive data by making mistakes borne of ignorance or overconfidence.

  • Use secure wireless. While using a public wireless networks at airports, bookstores, and coffee shops is convenient, it’s also one of the most dangerous things you can do with your mobile device. You’re just asking for someone to “shoulder surf,” steal your data, or your identity. And, use only approved wireless access points. You don’t want to connect unintentionally to a wireless network that you happen to be moving by, because it may not be secure. Ensure you only connect to wireless networks that you actively choose.
  • Disable file and print sharing. You may not have this enabled, but in case you do, turn it off before going mobile. It allows other users to connect to your computer, something you may find desirable while in a work environment, but certainly not so while on the go.
  • Disable your wireless Internet connection when not in use. When you’re not using it, having your wireless Internet on is just an added security risk. Many newer devices literally have an on/off “switch” for the wireless card.
  • Make your home wireless network more secure.When you work from home, that’s another place your laptop or mobile device can be compromised. All the precautions you take while at the local coffee shop could be for naught if someone uses your home wireless network to view your private data. Some tips on how to avoid that scenario:
    • Change the name of your “SSID” network and/or don’t broadcast it. Wireless routers come with default names, so change the network name to something that does not identify you or the make/model of your router. It is worth it to take the time and trouble to change the default name of your home network and to opt not to broadcast it; attackers look for easy solutions, and changing its basic settings can deter many of them.
    • Ensure you’re using a static IP address. If your wireless router is not handing out IP addresses, then the attacker has much more work to do.
    • Position the wireless access point near the physical center of your home. If the attacker cannot get to the wireless signal, then you are safer. Placing the actual wireless access point as close to the center of your home as possible, inhibiting the power of the radio waves coming from the access point from extending beyond your exterior walls.
    • Enable your firewall. The firewall is like the maître d’ at a fancy restaurant. If you’re not on the list, you can’t get in. While they are always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you’re traveling and utilizing different networks. Firewalls can help prevent outsiders from gaining unwanted access.
    • Change the default admin password; make it longer and more complex. Wireless routers and access points come with passwords set by the manufacturer. Every attacker knows these default passwords. So come up with one of your own, and make sure you write it down and keep in a secure place (which is not close to or on the access point).
    • Make sure you’re “Security-Enabled” by turning on encryption. Up-to-date encryption is nearly impossible to defeat. The more complex the better.
    • Only allow machines you know to connect to your network by enabling MAC address filtering. While it is easy for attackers to change a MAC address to match one of your allowed addresses, it adds yet another layer of defense.