According to a Pew Research Centre survey done in 2015, in some countries on the continent “cell phones are as common… as they are in the United States”.
And, as smartphones get smarter, services to mobile users become increasingly sophisticated. It’s now far more common, for instance, for companies on the continent to deliver confidential documents to their customers via mobile devices. But, this poses security risks for both the company and the recipient – yet knowledge about the security risks is not nearly as extensive as is the usage of mobile devices.
Companies that send documents to mobile devices need to take the steps necessary to protect the customer’s data. But how can companies minimise this data risk on mobile phones?
In a Q&A, Grant Shortridge, executive head: Striata Commercial Solutions, outlines how organisations can ensure they keep their customer data safe, even when it’s on the customer’s mobile device:
A: Mobile phones have had great success in Africa, because access to landline infrastructure has been limited. Smartphones have also started gaining significant traction. According to Pew Research Centre, around 34% of South Africans and 27% of Nigerians said their phones were smartphones, and this is helping to bridge the internet access gap. Africa is expected to hit the one billion mobile subscriptions mark in the fourth quarter of 2016, according to research from Ovum, which projects that the figure will hit 1.02 billion by the end of the year.
A: Many companies on the continent have started to deliver confidential documents to their customers via mobile devices. People opt to receive personal information in the form of payslips, invoices and statements via mobile, as it’s the easiest way to access that information. Of course, this poses security risks for both the company and the recipient. Unfortunately awareness and knowledge of these risks isn’t what it should be.
A: Companies that send documents to mobile devices need to take as many steps as necessary to protect the customer’s data. In South Africa, the Protection of Personal Information Act (POPI) will soon make that legally necessary. But in truth it’s a two way street - companies can only do so much, users need to do their part as well, by being sensible and vigilant.
A: Because of the proliferation of mobile users globally, security threats directed at mobiles specifically are becoming increasingly sophisticated. Hackers are targeting mobile payment systems as well as mobile browsers themselves.
Beyond that, a 2013 Consumer Reports survey found that almost 70% of US users didn’t back up their mobile data, and almost two thirds don’t lock their screens at all. We have no reason to believe that these numbers are any different in Africa. But even if they are, the fact of the matter is that this type of administration should be implemented by everyone, without fail.
A: As mentioned, it’s a two-way street. It is partly the sender’s responsibility in terms of encrypting and protecting any sensitive documents; and it is the mobile user’s responsibility in terms of ensuring the device itself is secure. The sender has no control over the device that the information will be received on. So, to be safe, it’s better that the sender assumes the device is unsecured and takes the necessary steps to encrypt or encode access to the files.
A: Documents delivered by email should be encrypted and password protected. Basic PDF encryption is not sufficient, neither is using an easily identified password like an ID number. To really protect the personal data inside a document, it should encrypted AND password protected with a medium to strong password.
If confidential documents or data are made accessible via a proprietary application, the application must not automatically log the user in or store the login details. If it’s not possible to add a security layer into the app process, then each document needs to be protected.
Perhaps most importantly, the company should continually educate its customers on emerging risks and the appropriate mobile device and application security. In as many customer touch points as possible, reiterate the security principles that will protect their confidential information.
A: Set up a pin or passcode to access the device. Auto-lock should ideally lock the phone after three minutes of inactivity. Be very careful about what apps you download and use. If you are concerned about the legitimacy of an app, read the reviews and use Google to see if there is any online chatter from users.
Keep your apps updated. Updates can fix vulnerabilities that will otherwise leave you exposed.
Don’t allow apps that store sensitive information to ‘store’ your password or automatically log you in. Rather opt to login manually each time, and once you have finished what you need to do, remember to logout. In fact, whenever possible use dual factor authentication (username & password plus a one-time PIN, for example), especially for your banking apps. Gmail, Facebook, Twitter and Instagram are commonly used apps that offer dual factor authentication to avoid unauthorized logins..
Major smartphone manufacturers now also allow for a remote ‘wipe’ of the data stored on a handset. Investigate this option. A remote wipe will remove any sensitive data if your phone is stolen or lost.
