Danger comes in small packages: Securing employees' mobile devices

Whether your company provides workers with mobile devices or allows them to bring their own, you have to be vigilant. If your employees work outside the office with their tablets or smartphones, they’re walking around town with your data in small, easy-to-lose, easy-to-steal containers. Should any of those devices go missing, there’s a lot more at stake than the cost of the hardware.

Following these basic procedures will help keep your company safe from mobile threats.

Insist on mobile antivirus apps
Almost everyone knows that they need an antivirus program for their Windows PC, but few understand the necessity of running a similar tool on their mobile device. According to Symantec's Internet Security Threat Report for 2014, 57 percent of adults didn't even know that such tools existed. But here's the really scary part: Only 44 percent were equally ignorant in 2012. In other words, the average person knows less about mobile security now than they did two years ago.

Android attracts more malware than iOS by a very large margin. According to Kaspersky Lab's Mobile Cyber Threats report, published this October, "98.05% of all existing mobile malware targets the users of Android devices." The ability to download apps from sources other than the office Play Store, and the irregular way updates get pushed to devices make Android a tempting target.

But iPhone and iPad users shouldn't be complacent. iOS has its share of vulnerabilities. What's more, malware that latches onto applications doesn't really care about the operating system; if the OS can support the app, the app can support the malware.

Think data, not device
Losing a smartphone is an inconvenience. Letting the data on it fall into the wrong hands is a disaster. According to Adam Ely, Co-Founder of Bluebox Security, "79% of companies reported a mobile data breach, with the cost of data loss ranging from less than $10K to over $500K per incident." That's a lot more than the cost of a phone.

The first line of defense: Secure the mobile device with a sufficiently complex password. You might also consider other techniques for locking a phone. Add more protection by encrypting company data (a locked phone doesn't help much if the Micro SD card inside is open), and a mobile-to-company-server backup routine.

Use a Virtual Private Network
Criminals don't need to steal a smartphone to read the data flowing from that phone to the Internet.

That's why your company needs to use a VPN to encrypt the data as it journeys between the mobile device and the network. A good VPN provides more than just encrypted data. It can track who's accessing the network, authenticate users, and allow employees to access company applications in the field.

Respect your employees' privacy
If you don't handle your company's BYOD policy properly, your employees may look at you with the same lack of trust that American citizens reserve for the NSA. As Ely explained, "it is important to maintain boundaries between work and personal use on an employee’s personal device. Users are rightfully worried that their privacy will be compromised if they use their personal device for work purposes."

Your BYOD policy must spell out clearly what rights belong to the employee and the company. Prepare a clear statement that defines the circumstances in which the company will open private files. Also, the employee must understand ahead of time that the device may be wiped remotely should it be lost.

Make it easy
If a user must go through eight security steps before they can get to work, they will find a way around those steps. After all, they're being paid to be productive, not to enter multiple passwords and prove that they really are themselves. According to Ely, "No matter how robust a mobile device program is it will not succeed without the support of the end users."

So keep ease of use in mind when designing a secure system. Require fewer passwords, and use automated encryption technologies that don't require many user interactions.

Another way to simplify: Design easy-to-use systems, and help employees when the systems aren't as easy as they should be, and offer convenient options like remote access to help them get fast support from your help desk if they need it. "Support must be a priority," warns Ely. And "focus on product design to minimize issues, prioritize quality testing and populate…support portal with how-to’s and FAQs."

Going mobile has considerable risks and considerable benefits. You need to lower the first so you can make the most of the later.

How to buy the perfect PC gaming laptop

Desktop diehards and the Reddit build-it crowd might scoff at the very concept of a portable PC gaming machine, but the gulf between gaming desktops and gaming laptops has narrowed considerably over the years. Today’s laptops can play modern games at 1080p and higher with few to no compromises in graphics settings. And that's not bad.

Sure, traditional desktop PCs offer more expansion options and easier upgrade paths, and can be significantly cheaper for the performance you get. But there's no denying the appeal of a single, self-contained gaming machine that you can move from the living room to the dining room to even the back porch.

You just need to pick your gaming laptop wisely. Your decisions will key into a series of component choices, so let's dig into them, one by one.

Is the government spying on you? Find out

Are you concerned that the government is spying on you? A consortium of human rights activists claim a new app called Detekt will alert you if the feds are watching.

Detekt works like an antivirus scan. Run it on your computer, and it tells you if the machine has been infected with malware that many government-sponsored hackers are known to use to spy on activists and journalists.

For example, the Ethiopian government has been hiring hacking mercenaries to crack down on bloggers. Ethopia has jailed journalists for critical reporting. Their surveillance is widespread: An American citizen in Silver Spring, Maryland with Ethiopian ties recently found this kind of spyware on his home computer, according to a federal lawsuit.

Ala'a Shehabi, a British economist in Bahrain, was among those targeted with FinFisher spyware during that country's lethal military crackdown on pro-democracy protests during the Arab Spring in 2012.

And the Chinese government is widely suspected of spying on its citizens' online activities.

Related: How the NSA can 'turn on' your phone remotely

Detekt is the work of Italian security researcher Claudio Guarnieri, Amnesty International, the Electronic Frontier Foundation and similar groups in England and Germany.

Detekt is limited, though. It only works on Windows computers. Researchers don't have enough insight into how spyware works on Macs, Guarnieri said.

It's also not meant to stop the kind of bulk government surveillance revealed by NSA contractor Edward Snowden last year.

And Detekt only spots eight different types of malware, including the strains most commonly used by governments. Now that government-hired hackers know there's a foil around, they're sure to find a workaround, Guarnieri acknowledged.

Those limitations are why some cybersecurity experts aren't convinced it'll work.

But it's not meant to be the only solution, said Jillian C. York, who worked on the project as EFF's director for international freedom of expression.

"It's just one more piece of a toolkit to fight corporations selling spyware to democratic and authoritarian governments," she said. "But we absolutely need it."

The fact that Detekt was made an open-source project means that it can only get better, because anyone can see how the code works -- and contribute to it. It also makes Detekt trustworthy, said Mikko Hypponen, the top security researcher at F-Secure in Finland.

But if anything else, the man behind Detekt also hopes it will spark a conversation about the ethical ramifications of government espionage.

"I also hope that this will get people to reflect on how they feel about their governments using spyware," Guarnieri said.

Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER

Amnesty and Privacy International are offering a free-of-charge spyware detection tool designed to help journalists and human rights activists stay one step ahead of government surveillance.

The Windows-only Detekt anti-spyware tool is designed to be a supplement, rather than an alternative, to pre-existing anti-virus protection. It's an extra layer that can identify potential government spyware or commercial spyware tools, such as FinFisher.

"It was intended as a triaging utility for human rights workers travelling around. It is not an AV," explained developer Claudio Guarnieri in an online discussion about the tool with other security researchers.

The tool provides "researchers, human rights workers, journalists and others who suspect they are targets of unlawful surveillance with the means to easily test their computers for known spyware" [our emphasis]. Digitale Gesellschaft and the Electronic Frontier Foundation partnered in its development.

Doubts about the approach have centered upon whether privacy firms will be able to push out new definitions fast enough as new trojans variants are developed, as well as more general concerns about the effectiveness of anti-virus scanners.

Detekt had been privately used prior to the "strategic decision" to make it public, according to Guarnieri, who worked with researchers from Citizen Lab on its development. A FAQ from Amnesty International on the tool can be found here.

"Governments are increasingly using dangerous and sophisticated technology that allows them to read activists and journalists’ private emails and remotely turn on their computer’s camera or microphone to secretly record their activities," said Marek Marczynski, head of military, security and police at Amnesty International in a statement.

"Detekt is a simple tool that will alert activists to such intrusions so they can take action. It represents a strike back against governments who are using information obtained through surveillance to arbitrarily detain, illegally arrest and even torture human rights defenders and journalists," he added. ®