VI. Thou shalt encrypt all data stored on thine mobile devices.
Summary:
Your data is valuable to you. Even something as simple as the phone numbers in your phone’s contact app. It’s also valuable to the evil doers. They would dearly love access to your phone with all of the valuable e-mail, SMS, call logs, WhatsApp messages. Everything on your phone will be of some use to these criminals, because it is real data, with valid names, e-mail addresses, phone numbers, etc. and they can sell this online to anybody who wants it, such as your competitors. Wouldn’t they like to know that you’ve been making lots of calls to one of their customers recently.
The thing with mobile devices (Laptops, Tablets and Phones) is they can hold a lot of data and can be very easily mislaid or worse stolen. That is why it is ESSENTIAL (note emphasis) that you encrypt (i.e.- scramble the data such that it is unreadable unless you have the key) all data on your mobile device. This is quite easy to do as most modern smart phones and tablets have the ability built in. For laptops, special software may be required (e.g.- Bitlocker is the Microsoft supplied product for Windows, but there are others).
Also there may be a legal requirement for you to encrypt data. If you store documents, spreadsheets or databases which contain Personally Identifiable Information (PII), then the Data Protection Directive requires that this data be stored such that only those people who are authorised to it, shall have access to it. So for a mobile device this means the data must be encrypted and only accessible to the person who has the key. If a device containing PII details is lost or stolen, then a report must be made to the Data Protection Commissioner’s office. If the data was properly encrypted, no further action would likely occur. However if the data was not encrypted, the Data Protection Commissioner would carry out a detailed investigation of your practices, which may lead to prosecution.
That’s all there is to it. I will continue below with some details on the subject of encryption. So if you are not interested in such particulars, just make sure all of your data on mobile devices is encrypted.
Detail:
What is PII:
PII is something which can identify somebody as a person or in conjunction with other pieces of PII data can identify somebody as a person. The following is an example of some attributes which are considered PII:
- Full name
- Home address
- Email address
- Personal Public Service (PPS) Number
- Passport number
- Vehicle registration plate number
- Driver’s license number
- Face, fingerprints, or handwriting
- Credit card numbers
- Digital identity
- Date of birth
- Birthplace
- Genetic information
- Telephone number
- Login name/screen name/nickname/handle
So if you have any of these attributes which identify customers, business partners, colleagues, etc. stored on a mobile device, you must have this information encrypted.
Different methods to encrypt data:
To be totally safe and secure, you should always opt for complete device or full disk encryption. This means you don’t have to worry about accidentally having a piece of sensitive data in an unencrypted place on your mobile device.
However, some people may be of the opinion that it is overkill to encrypt everything. They may only have a single spreadsheet that contains PII data, so they might opt to use Microsoft Excel’s encrypt function. In newer versions of Excel this uses, what is called, AES 128 bit encryption, which is OK, but it is crackable (there are a lot of utilities for breaking Excel passwords). If you had to notify your customers about the loss of their PII data, it would not give a great impression if they thought you only used Excel’s encryption.
File compression utilities such WinZip or 7Zip offer AES 256 bit encryption which is much more robust. However if somebody uses a short or widely known password (“123456” anyone?L) then these can be cracked too. If you chose a nice long and complicated password, then compressing the files, with encryption should be acceptable.
However there is nothing like using a purpose built encryption package to give confidence that you take security seriously. A well known application called PGP (Pretty Good Privacy) has been around since 1991. It is now a commercial product which has been bought by Symantec. It can secure files, folders, entire disks and also e-mail. There is a freely available alternative called TrueCrypt, however it is no longer actively supported, so it may not be acceptable to use this product. However VeraCrypt is actively supported and was based on a version of TrueCrypt from before it went unsupported.
Finally for devices like Phones and Tablets, if you have installed additional memory cards (MicroSD or the like) to increase storage, then make sure these are also encrypted, as this might be a slightly separate function to encrypting the device storage.
Corrupted data and Backups:
If you have encrypted your entire device, hard drive or even a folder containing a lot of files, it is possible that the corruption of a tiny section of that encrypted data may make the whole lot inaccessible. This is as opposed to where the folder of files were not encrypted, the corruption of a tiny section would only impact on a single file and even then it may still be accessible.
It is therefore essential that you have your data backed up. That sounds familiar … hmmm … Commandment IV anybody?
Of course if your data is being backed up to some form of external media (tape, disk, USB memory stick), then these are also highly mobile, so the data should be encrypted on that media too.
Some Full Disk Encryption utilities (e.g.- VeraCrypt) will create a Rescue/Recovery disk when they encrypt the full hard drive. This is just in case the keyfiles on the hard disk become corrupted. It will enable you to access the encrypted data. This Rescue/Recovery Disk should be put somewhere very safe and secure.
Is your e-mail encrypted:
A lot of the data that flows across the internet is not encrypted, therefore it is quite easy for anybody to see what other people are reading/downloading. E-mail is a particular case in point, as most e-mail data traffic is not encrypted. So if somebody had tapped into your network connection, they could quite easily read any e-mails that were in transit to and from your customers or vendors.
Most large corporations would have a form of e-mail encryption, called Transport Layer Security (TLS), turned on which would scramble e-mail messages while they are enroute from their e-mail servers to yours. However if your e-mail server is not set-up with TLS, then they cannot scramble the e-mail to you, so it will traverse the internet in an unscrambled form. Similarly, your e-mails to them would be in a legible form.
If you use an e-mail hosting provider (e.g.- Microsoft Office 365 or Google Apps for Work) then it is quite likely that you have a TLS facility and it probably is already active (you should check to make sure it is).
However if you are dealing with customers who have basic e-mail services (e.g.- @IOL.ie, @Eircom.net, @Oceanfree.net, etc.) these almost certainly do not have TLS available to them. So if you need to be sending sensitive data to such accounts, you should check with the data protection commissioner about your responsibilities. You may need to get a waiver signed by these customers to acknowledge that their side of the e-mail communications channel is insecure.
Conclusion:
If you have any comments, suggestions or questions on the above, please leave a comment below.
Do you have a Commandment for Cyber Security to add or any thoughts on those that I have listed, if so please let me know and I will do a follow up after I have completed the run through.