According to some studies, over two-thirds of lost smart phones contain sensitive or confidential business information. This can lead to, sometimes serious, breaches of data and confidentiality. With the increasing use of mobile hardware in businesses – whether this is provided by the organization or on a bring-your-own-device (BYOD) policy – it is essential to ensure the data carried around in the pockets and bags of your employees is encrypted.
Of course, there are different types of mobile encryption. Conceptually, this is similar to locking a bicycle to deter theft. A flimsy padlock with a weak combination will deter casual or opportunistic thieves, but more determined criminals will not be so easily fooled. Therefore, strong ciphers and longer keys are recommended, such as the Advanced Encryption Standard with its 256-bit keys.
There are two types of basic encryption. Hardware encryption, for example on newer iPhones or Android devices, have an encrypted file system. Data is stored in a ‘scrambled state’ when not in use and this is only unscrambled when the device’s passcode is correctly input.
This is handy for organizations who give out a standardized device, it is just a matter of ensuring it has the requisite encryption. However, for BYOD organizations, users may have hardware that does not offer this level of encryption.
Software encryption is supported by many devices, even those where hardware encryption is not a viable option. In this instance, individual programs such as email clients or secure browsers will invoke OS-supplied application program interfaces or third-party crypto library functions to encrypt and decrypt select data.
Software encryption is also useful if the hardware encryption fails to meet security needs. For the determined, a lost iPhone can, for example, be cracked by using procedures like dumping the file system contents to recover hardware-encrypted data. Using software encryption can help add a robust layer to neutralize this risk.
Writing for Techtarget.com, Lisa Phifer recommends using each to get the best of both worlds. Think about it like an office building’s security: it is multi-layered and while a lost entrance pass may get you in the front door there are still areas of the building that are off-limits to that particular pass. Just like the restricted access to a building, software encryption adds layered protection to individual applications if the hardware encryption is broken.
Each device should be considered on a case-by-case basis. Identify the data that need protecting and choose the most effective mobile device encryption method/s. Remember to keep in mind that factors such as PIN or password length, strength and auto-lock timeouts will directly affect how easy or difficult it is for potential prying eyes to recover the encrypted data in the event of loss. Where possible, use layered encryption and apply more stringent protection to the data that would pose a serious business risk if lost.
The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: “Security is not a product, but a process.”