Contributed Column

All About IT

by John Burton, NPI

How to avoid the mobile ransomware epidemic

Today’s employees virtually live on their mobile devices — not just during the work day but well beyond — from virtually anywhere on the planet. I’ve noticed that about half of Vermont’s employees use their personal devices for business email and many use it for other company business as well.

Because mobile devices have become our constant companions, cybercriminals have latched onto them as a prime avenue of attack. The unfortunate reality is that most smartphones are not set up with the security features companies require; there are extensive configuration changes needed to make them “business ready.”

By using a nearby rogue hacking device, determined hackers gain access and begin downloading sensitive data from a smartphone in less than 30 seconds. Testing has shown that many of our top tourist attractions, such as Faneuil Hall Market in Boston, have become lucrative targets for unsuspecting people who mistakenly connect to rogue Wi-Fi that infects their devices.

Smartphones are also vulnerable to ransom ware infections through inadvertent downloading of attachments. A person thinks the attachment is a legitimate file but it turns out to be infected. Once activated, the ransomware changes passwords and encrypts the phone’s files, making them impossible to access. In order to get the new password or decrypt the files, the ransom must be paid in bitcoins. On receipt of the payment, the cybercriminal releases the password and encryption key so access can be restored. Most ransom demands are crafted to cost less than the price of replacing the inaccessible data, so many victims just choose to pay up.

Ransomware can even transfer from a mobile device to a business network system via Wi-Fi. Mobile device threats are rapidly increasing and can result in not only data loss but also security breaches and violations in regulatory compliance.

A number of steps can be taken to reduce the risks and adhere to business legal, privacy, and security requirements. Common protection techniques include:

1. To keep the protections current, set the smartphone to automatically update the OS and apps. Set the OS privacy and security settings to the highest levels.

2. Disable ad hoc Wi-Fi connections and don’t automatically connect to wireless networks. Limit use of public hotspots and turn off Wi-Fi when not in use.

3. Don’t use person-to-person payment applications as they are more vulnerable to intrusions.

4. Install a personal firewall and antivirus software and set them to automatically update.

5.Prevent unauthorized changes by anyone other than the device administrator. Only download apps from trusted sources.

6. Use a complex password rather than a PIN and change it frequently.

7. Don’t leave the device unattended; always treat it like a purse or wallet. Keep track of it at all times in public places (it only takes a couple of seconds for someone to swipe it). Secure the device when leaving it in a hotel room.

8. Subscribe to a phone finder service to quickly locate or wipe a lost device. Turn on disk encryption.

9. Don’t enable others to tether to your device. Don’t lend to others as they might make unauthorized changes.

Unless the data on the phone is backed up, there is no option but to pay the ransom. With well-supported mobility and security awareness programs in place, companies can keep users happy while keeping sensitive data secure. Putting these protections in place allows everyone to effectively compete in today’s mobile-first environment. •

John Burton is the co-owner and president of NPI, a technology management company in South Burlington; www.npi.net

Index of Contributed Columns

For information on submitting a contributed column see here.