Author, Nick Graf, ARM, CISSP, CEH | Assistant Vice President, CNA

As mobile devices continue to increase in popularity, many consumers use them as their primary means of communication. These hand-held devices, which are equipped with increasing amounts of processing power and data storage capability, are not only used for written and verbal communication, but also for taking high-definition photos and video, conducting financial transactions and transmitting health data. Therefore, ensuring this information is adequately protected is critical, but often overlooked.

How Can You Protect Your Mobile Data And Stay One Step Ahead Of The Hackers?

Start by enabling a pin or biometric screen lock. This lock will prevent a casual user from accessing the contents should you lose your phone. Apple iOS 9 now defaults to a six-digit pin instead of four digits. Adding two extra digits make guessing the pin much harder (i.e., 1,000,000 possible combinations versus 10,000 with a four digit pin). For additional security, you may also opt to use a longer alphanumeric pass phrase. Many new phones also give the option for biometric (fingerprint) authentication.

Another crucial step is to ensure you are using full disk encryption. Consumers will sometimes confuse having a pin or password on their phone and encrypting their phone — they are not the same. While an encrypted phone requires a pin or password, it is possible to have a pin screen lock on an unencrypted phone. An unauthorized user may be able to access information stored on an unencrypted phone (plugging the phone into a computer with specialized software) without knowing the pin or password. Encrypting your phone and using a strong password prevents this type of attack. Apple recently began encrypting their software by default in iOS 8, and Android in 6.0 Marshmallow.

What About Wi-Fi?

Be careful using your mobile device in public Wi-Fi hotspots. While users may opt to use a public Wi-Fi hotspot to reduce data usage on their mobile plan, they should be aware public Wi-Fi is inherently insecure. If you choose to use such a connection, attempt to verify the hotspot is legitimate. Ask the owner of the business for the network name. Be mindful that it is trivial for a malicious user to create a wireless network with the exact same name, making it difficult to verify the authenticity. Next, use a virtual private network (VPN) to protect your data from an attack on this local network.

Keep Your Software Up To Date

Another area of importance is keeping your mobile device's software up to date. Both the phone's operating system and individual applications should be updated to reduce the risk of software vulnerability exploitation. On iOS devices, you should be automatically prompted when a new version of iOS is released. On most Android devices, users will need to wait for their wireless carrier to make updates available to them.

Both iPhone and Android have a "find my phone feature." Enable this feature to help find your device if it is lost. Both services will allow the owners to locate their device, play a sound on the device, and remotely lock and erase their device.

Learn more about CNA's Cyber Liability products or please contact a CNA representative to pinpoint your risk areas that are becoming more and more vulnerable in the context of today's emerging technologies. One or more of the CNA companies provide the products and/or services described. The information is intended to present a general overview for illustrative purposes only. Read CNA’s General Disclaimer.

By Nick Graf, ARM, CISSP, CEH | Assistant Vice President, CNA

While most people think of hacking as an attack against a website exploiting a vulnerability, in reality, hacking can be as simple as asking for a password. Today's hackers have realized that social engineering a user to give up his or her password may be the easiest way into an organization. The term social engineering refers to the "psychological manipulation of people into performing actions or divulging confidential information." And, it is important to understand this type of attack can occur via email, phone or even in person.

Phishing is a common type of social engineering done via email. We have undoubtedly all seen these types of emails. Historically, they were easy to identify (the Nigerian Prince emails come to mind). But these days, the bad guys will make their message far more polished with a plausible backstory, and timed around current events. For example, phishing emails purporting to be from the IRS always peak around April 15. Social engineering attacks also occur by phone.1 Attackers will perform reconnaissance on their targets and pretend to be a business associate or other trustworthy party. They may also spoof the caller ID, making the number match the person they are impersonating. They may even conduct an attack in person by having a background story in place and dress to "look the part." Attackers will also leverage malware, sent as email attachments or via malicious websites. If they can get this malware on your computer, it can allow them to see everything you type (this is known as a keylogger).

Password reset questions can be another avenue for attack. While an attacker may not know your password, they may be able to use publically available information against you. Security questions, such as where you went to high school, your mother's maiden name or previous street address, can often be discovered on the Internet. If the attacker can provide the answers to these questions, then they can easily reset your password to access your account.

Typically, people are not great at remembering passwords, and the bad guys know this. Most of us likely have three to five passwords we reuse for all of our website access. If an attacker compromises your password through another method (i.e., website attack, social engineering, etc.) they will try these credentials at other sites because it is likely to provide them access.

Finally, we know surfing the Web at a public Wi-Fi hotspot can put our data at risk. Over an unencrypted Wi-Fi link, everything you type is clearly viewable to those around you. And, when you're in a public setting, it can be difficult or impossible to determine if the hotspot you've connected to is illegitimate or has been compromised. If you unknowingly connect to an illicit hotspot, the attacker can silently redirect secure traffic to a normal HTTP (unsecure) connection, allowing all information to be viewed.

With an abundance of additional access points for hackers to breach, how can you ensure that your system remains secure? Please contact a CNA representative to learn how risk controls can be tailored to your business or visit www.cna.com/cyberliability.