Читать книгу Start-Up Secure - Chris Castaldo - Страница 22

Mobile devices are now woven into the fabric of everyday business – smartphones, tablets, etc., are used to run and secure your start-up. These have the same level of access to critical information as your laptop. Many MFA solutions, which I discussed earlier, run as apps on your smartphone; physical tokens are still the most secure but not as convenient as a mobile app. Our mobile devices are now acting as the keys to the digital kingdom. Nearly all the same security rules we've discussed so far apply to our mobile phones and devices. You must make sure the operating system is up to date; keep installed applications up to date; set a strong passcode, fingerprint authentication, or face authentication; and encrypt the phone if it is not on by default for your make and model. Some of this is not already activated out of the box and is easy to skip over in the setup process.

Setting a passcode, passphrase, pattern, or fingerprint is the first line of defense to protecting the data on your phone and the data it has access to. Nearly all modern devices support these features and you should enable them when you buy the phone or do so immediately. There are many lines of thought on which option is most secure, again a larger discussion than can be covered in this book, but you should enable at least one of them. You should also encrypt your phone in the case that it is lost or stolen. While most thieves resell the phones and don't attempt to retrieve data from them, encrypting your phone will provide peace of mind if it goes missing. Both Google and Apple offer the capability to find your phone if it is lost, or remotely delete all sensitive data if it is stolen. These features are not enabled by default and you should ensure you switch them on for any device you use for conducting business.

When a device is lost or stolen you have now lost your ability to log in to services that require your MFA code, such as Google Workspace or Apple iCloud. Both services have procedures that will allow you to log in after an emergency but it can be a lengthy process. Both services do allow you to set up an emergency phone. This should be someone you trust explicitly: a co-founder, spouse, or another family member whose device you could quickly access in an emergency. So preferably not someone that lives on a different continent. Or you could even have a second phone that you leave locked away for such an event, depending on how critical your data is.

As you scale, it becomes more important to manage these devices. This will certainly be a business decision that is made on whether to issue mobile devices to employees. This provides stronger controls around how users access your sensitive data, but also requires employees to now carry two devices. Another option is to require employees to install corporate mobile device management software on their phone to block certain apps from accessing your data. Or to force users to use only certain applications to access your start-up's sensitive data. This option requires careful consideration based on local, state, and federal laws not only where your start-up is located but also where your employees are located. There can be privacy implications as well as employees refusing to give access to their personal device.