The loss of just one phone can be catastrophic for personal and work security
Learn how to change your iPhone settings to better protect your device, Apple ID, apps and data.
Judging by common searches, if your iPhone is stolen you are likely to have a lot of anxious questions, such as:
Can my stolen iPhone
Can my stolen iPhone
How can I erase a
Welcome to another Byte-size Briefing by The Final Step, where we advise on how to reduce your risks should your iPhone be stolen. This briefing covers a new mobile phone crime that affects private individuals and businesses.
We strongly recommend you read this briefing in its entirety and then look at your phone and decide which settings are appropriate for you. Changing one or two settings without reference to the others could result in some nasty surprises and that’s exactly what the briefing is trying to help you avoid. If you are a business, it’s best to consider this together with expert advice on your IT environment as a whole.
The catastrophic consequences of iPhone theft
New criminal behaviour is prompting people and businesses to re-evaluate their mobile phone security, as the precautions we thought were sufficient are proving to be inadequate.
Fraudsters are stealing iPhones in a way that means they can clear out your bank account and steal your identity. These crimes highlight the need to add additional layers of security to your phone and to behave differently in public.
The crime is sometimes referred to as “shoulder surfing”, because thieves look over your shoulder and observe or record you entering your passcode into the phone. They then pickpocket or steal the phone AND already have your passcode.
You may have previously thought of the theft of your phone as a “petty crime”, but it has potentially catastrophic repercussions if thieves steal your device and know your passcode, as it means they can:
Raid your bank accounts.
Stop your ability to track and control all your Apple devices.
Make changes to your Apple ID and your personal information.
Restrict your access to personal photos and videos with no way to reclaim them.
Detective Superintendent John Roch, Head of Economic Crime Unit for London’s Met Police told the BBC that the scale may be small, but the impact can be huge.
The BBC reported that phone thefts are surprisingly common. In London in 2022, an average of 248 phones were stolen per day – that’s one phone every six minutes. Of the 91,000 reported stolen, only 2% were recovered. It can be extremely difficult, near impossible, to recover your device.
But the loss of the phone itself is relatively insignificant compared to the loss of your money, your identity, your credit rating, your precious memories in photos and videos and the threat to your business. The impact can be devastating.
The BBC reported that it took Jacopo de Simone 10 months to recover the £22,000 stolen from him overnight after the theft of his phone. Similarly, the Wall Street Journal (WSJ) reported that Greg Frasca spent months trying to regain access to his Apple ID and even offered to fly to Apple’s HQ to prove his identity and recover eight years of photos and videos of his children.
In this Byte-size Briefing, we will be focusing on iPhone security because, according to the WSJ (reporting on American incidents of this crime), Apple devices are seen as a lucrative criminal target because of the security loopholes that provide a greater payday. And, once the thief has exhausted exploiting your data on the phone, the device itself commands a higher value than alternative devices.
That being said, it would be a mistake to think the lessons here are only for iPhone owners, or that this is only a personal and not a business problem.
So, in addition to covering specifics for protecting your Apple devices with straight-forward how-to videos, there are general principles and best practices that apply to all mobile devices - be that a Google Pixel, Samsung Galaxy or any other smartphone or tablet! And if you are a business that allows mobile connectivity to your work environment – be that from a personal or a work device – we will outline the key principles for secure mobile device management (MDM).
Unfortunately, there is no “one tip” that guarantees protection from this crime, but by following the actions and behaviours we suggest, you will improve security around your device. So, if the worst should happen you will be in an informed position, enabling you to recover as best as you can.
A word of caution
We strongly recommend you read this briefing in its entirety and assess your own situation before putting in place any of the changes. Implementing a single tip without considering the rest may have unexpected consequences. That said, it’s advisable to improve your security as soon as you can.
It’s hard to advise on the best order in which to make the settings changes as it depends on your current settings and understanding. However, if you don’t have a backup, making sure you have one is an excellent first step!
What can be done with a stolen iPhone?
The theft itself can be shocking, as it has been known to involve pickpocketing, mugging, distracting or even drink spiking. On top of that trauma, the recovery can also be tortuous. Financial organisations may be reluctant to pay out fraud claims if they believe you have “given away” your passcode. It can also be convoluted, time consuming and expensive to prove you are the true holder of the stolen identity. From a technical point of view, these are the risks you are looking to mitigate:
- Getting locked out of your phone.
- Having your money stolen via your financial apps.
- Being prevented from tracking your mobile phone using Find My iPhone.
- Getting locked out of any other devices associated with your Apple ID.
- Criminals gaining access to all your password info stored in Keychain and gaining access to a whole lot of other financial and personal information.
- Criminals having access to your Apple Wallet and its payment methods.
- Getting locked out of your Apple ID, which means:
- Criminals have longer to explore other financial hijacking options.
- Thieves can reset your recovery key to one unknown to you. If that were to happen, as Apple’s support page makes clear, “you could be locked out of your account permanently”.
- You lose your ability to wipe your device remotely.
10 top tips to improve your iPhone security
One victim told the BBC he now avoids using financial apps on his phone at all, despite the inconvenience. At The Final Step we often say there is a balance to be struck between convenience and security, but adopting a security-first mindset is worth a little extra effort. Detective Superintendent John Roch encourages people to think of their phones as if they were a large bag of cash.
Certainly, it makes sense to preface technical advice with a caution to be more aware of your surroundings and try to avoid using your passcode whenever you can be overseen. It is safest to assume your phone and passcode will both be stolen, and you should set your iPhone up accordingly.
Let’s start with four tips that look at how to control access to the iPhone and all its data.
How to protect access to your iPhone
Ensuring that nobody can ever oversee you entering your passcode may be a difficult habit to form. Using Face ID is one layer of protection. It makes the use of a passcode less frequent, but it’s not infallible, as when it fails it will revert to asking for your passcode. Here’s an explanation of how to set it up.
TIP 1: Set up Face ID on your iPhone
To ensure that you are properly protected, you should use your passcode in public as infrequently as possible to avoid anyone seeing it. Setting up Face ID or Touch ID enables this.
One way to see this is that Face and Touch ID are what you are – they use your own biometric data to open your iPhone. A passcode is simply something you have, and can be stolen from you like any other possessions.
Unlock your phone and navigate to Settings. Scroll down until you see ‘Face ID & Passcode’ or the Touch ID equivalent. Tap on this and enter your passcode to make changes.
Tap then on ‘Set Up Face ID’ and follow the instructions – you’ll be asked to position your face in the frame and move your head slowly in a circle to register every angle.
Your Face ID is now setup. The options at the top show what Face ID will be used for unlocking - select whichever options you feel comfortable with. Just note that Face ID will be more secure than using a passcode in most situations.
Another good option to enable is ‘Require Attention for Face ID’ a little further down the page. This ensures that anything that requires Face ID to unlock will also require you to be looking directly at your iPhone.
In an ideal scenario, you won’t ever use your passcode in public, which is the only sure-fire way to ensure that nobody is looking at your phone whilst you enter your details. We know this isn’t entirely practical, as even with Face ID and Touch ID enabled, it will occasionally default to requesting your passcode as an extra level of security. When this happens, check your surroundings and cover your passcode.
One of my colleagues had his work iPhone snatched from his hand by a masked criminal on a bike, outside our central office at lunchtime in broad daylight. The thief was gone before he had time to react.
In this instance, the criminal is hoping to have unlocked access as they snatch it or guess the passcode or may be looking to reset it and sell the device. So, although you can’t consider a passcode on its own a sufficient defence, you should still set one.
We have three recommendations for defending your phone against someone who is trying to guess the passcode or hopes to, once they have snatched it. We’ll cover two of them with a video:
- Set a complex, harder-to-guess passcode, ideally an alphanumeric password.
- Set your iPhone to lock after 30 seconds of inactivity so the criminal has less time after a ‘snatch and run’ to gain access before it locks. Do this via Settings, Display & Brightness, Auto-Lock and select “30 seconds”.
- Set the phone so that too many incorrect attempts to enter a passcode will result in your phone wiping itself of data.
TIP 2: Change your 4 or 6 digit passcode to an alphanumeric password
When we create accounts on the internet, websites tend to force us to use alphanumeric passwords over a certain length, and sometimes even require a special character. Why we consider iPhones any different from these accounts is a mystery, but if anything, we should be protecting our phones with an even greater level of security considering how much personal and financial information we can store on one device. This is also true of company devices, which may contain information on clients, finances and other sensitive topics.
Unlock your phone and head to Settings, and select the Face ID & Passcode option. Scroll down until you see ‘Change Passcode’.
Tap this and enter your existing passcode. Instead of entering a new 4- or 6-digit passcode, select ‘Passcode Options’ at the bottom. The top option should then allow you to set a Custom Alphanumeric Code.
For the sake of this video, I will enter a basic password so that I can change it later, but you should enter a long, secure and unguessable password. For tips on good password hygiene, check out our blog on the topic, which I will link below.
Select next and confirm the password you’ve just entered. The next time you unlock your phone, you will be prompted to enter this more secure password.
Whilst this is an important step to take, it’s worth noting that you should still opt to use Face ID or Touch ID where possible. Whether or not your passcode is 4-digits, 6-digits or alphanumeric, if a thief watches you enter your password, they will still have access to your phone should they steal it.
Here’s our blog on password hygiene, mentioned in the video tip.
Setup your ability to Track and Wipe your iPhone
Being able to track your iPhone’s location using the Find My iPhone function is a sensible precaution to put in place, mainly because it allows you to remotely wipe your data off the device. This is a major security benefit if the phone is no longer in your possession.
You may hesitate to use this option if you don’t have a backup of your phone’s data that you can restore to another device (we will cover this later). Knowing you have a backup gives you the confidence to act quickly, which is important as an organised, quick-acting thief will try to disable the feature before you can use it.
Wiping your own device requires that you know your Apple ID password. That password should be unique, strong and not easily guessable. That means you most likely will have it recorded on a password manager which you will need to access from another device. Most password managers work on multiple devices and allow you securely to share key passwords with others.
Having such a setup may allow you to act more quickly. Ideally, if you are a business, you would simply phone your IT department or IT managed services provider to remotely wipe it, assuming they have an MDM solution in place.
Tip 3: Enable location tracking with Find my iPhone and how to use it
Whilst enabling tracking via Find my iPhone isn’t a preventative measure, it’s an important function to have set up should a thief steal your phone, as if you act quickly, you may be able to wipe your phone remotely. This function is best used if the thief steals your phone and doesn’t know your password, as they shouldn’t be able to make changes to your Apple ID without this.
To set up Find my iPhone, navigate to Settings and tap your Apple ID at the top. Locate the ‘Find My’ option and tap this.
Tap on the top option that says ‘Find my iPhone’ to turn on settings.
The top option enables Find my iPhone. As you can see from the subtext, this allows you to locate, lock or erase your device and accessories remotely, and to do so requires your password. This is why it is important to act quickly, as an intelligent thief will seek to change your Apple ID password immediately, which unfortunately can be changed using only your phone’s passcode.
Have a look through the other options on this page, as some of these can come in handy if you have simply lost your phone and it hasn’t been stolen.
To use Find my iPhone to lock or wipe your iPhone, you will of course need to use a different device to do so. If possible, you should use a device of your own such as an iPad or MacBook, but if you are out in public this will be difficult. What you should do in this instance is use a friend’s iPhone to log in to your Apple ID and wipe your own iPhone. In this instance, we’ll show you how to wipe it from another iPhone.
Once logged in on another iPhone, navigate to the Find my app. I’m using the search function to get there quickly.Tap devices along the bottom and it should list all devices associated with your Apple ID. Select the device that has been stolen. Scroll to the bottom of the options, activate the Mark As Lost option, and then click erase this device. I won’t perform this action on my end in this instance, but follow the steps that pop up next when you select each option. If you are lucky enough, you may be able to wipe your device before a thief is able to do any damage.
We mentioned earlier that some thieves snatch phones when you are distracted, hoping they can unlock them later by guessing the passcode. You can protect against unauthorised access by setting the phone to wipe after 10 failed passcode attempts. You must have access to your Apple ID and already have taken a backup to get your data back once you have bought a new device.
TIP 4: Set iPhone to wipe data after 10 failed passcode attempts
In the event that somebody steals your phone whilst locked and without knowing the passcode, it’s a good idea for your phone to automatically erase all data in response to any forced login attempts.
It’s important to note at this stage that if your phone is stolen, you should assume that the thief knows the password, and should still carry out the other recovery steps such as trying to erase data via Find my iPhone as soon as possible.
To set this up, head to Settings and to Face ID & Passcode. Enter your passcode as prompted, and then scroll all the way to the bottom and turn on ‘Erase Data’. You will be asked to confirm this choice, as it means that after 10 failed passcode attempts, all of the data on your phone will be erased. This includes all photos, notes, messages and otherwise that aren’t backed up to iCloud or other backup services.
If you choose to turn this option on, make sure that if you changed your passcode to an alphanumeric password earlier in this series, that it’s a secure one that you will remember.
You should also think twice about enabling this option if, for example, you have kids that might play on your phone, as you don’t want to turn around and find your phone inadvertently wiped.
If your phone is stolen using intimidation and threats, it is unlikely you will feel safe withholding the passcode. If it is snatched from you whilst unlocked, the thief may already have access. In either scenario, simply having set a biometric or alphanumeric passcode is insufficient. Let’s look at better protecting the assets on your phone.
How to lock apps and assets on your phone
So far, we’ve looked at making unauthorised access to the iPhone itself harder. Now let’s consider better protection for your assets once a thief has access to the phone.
This isn’t an exhaustive list, instead it concentrates on key areas which if compromised can have very costly consequences.
Your Apple ID is the account that controls your Apple customer identity and proves your authority to make changes, including accessing your data and recovering your backup. It’s a key piece of your Apple security.
How to protect your Apple ID with an extra passcode
By default, the passcode to authorise an Apple ID password change is the same passcode you use to unlock the iPhone. So, if a thief knows your passcode, they can potentially control your Apple ID and lock you out of it by changing it to a password only they know. It is a core security principle that each password is unique and strong, so we are going to look at how you can add an extra authorisation needed to change your Apple ID password.
TIP 5: Set Screen Time to require separate passcode to change Apple ID
Whilst many of us are aware of Screen Time and the notifications we get to advise us of how much we’ve been using our phones and certain apps, few are aware that it can be utilised as an incredibly useful security measure to prevent thieves from making any changes.
To set this up, we’re going to head to Settings, tap on Screen Time, and turn it on.
Before we click through to any other menu, we’re going to ensure that we have Use Screen Time Passcode enabled. This is what stops anybody changing your screen time settings without a passcode.
Unlike many other settings on an iPhone, your passcode for screen time is independent of your phone passcode, making it a very secure way to restrict access to your apps and settings if a thief has access to your phone passcode.
Tap on use screen time passcode, enter an entirely unique passcode, confirm it, and tap next.
You will be prompted to enter your Apple ID so that in the event you forget your Screen Time passcode, you can recover it. Whilst this may seem like a good idea, we are assuming that your iPhone has been stolen and the thief knows your passcode. With only your phone passcode, a thief can access your Apple ID and will thus have access to your screen time passcode recovery.
So, we are going to leave this blank, and tap Cancel in the top left, and press Skip on the confirmation prompt.
Importantly at this stage, you should record your Screen Time passcode in a secure password manager such as Keeper or a recommended alternative.
Once this is set up, tap through to Content & Privacy restrictions, and tap the toggle at the top to turn it on.
You will see a lot of options for different settings. The one we are going to focus on and use as our example is the Account Changes setting. Quite simply tap through on this option, and change it from Allow to Don’t Allow.
To see this in action, if we completely close out of Settings and reopen it, you will see that you are blocked from making any changes to your Apple ID on your iPhone. Whilst we recommend that you add many layers of security to your iPhone and your Apple ID, this setting is one of the most important things you can do to improve your chances of keeping control of your account if your iPhone is stolen.
To remove the limitation if you need to make changes, go back to Screen time and to Content & Privacy Restrictions, scroll down to Account Changes, enter your unique screen time passcode, and tap allow. Once you’re done making any changes, just remember to turn this setting back to Don’t Allow!It is worth having a look through this section for other options that can help improve your security, such as disallowing passcode changes or restricting access to certain websites, and working out a system to utilise screen time restrictions that best suits you.
Stopping the Keychain reaction
The more of our login details thieves can gather, the more opportunities they will have to steal from you. They are clever at seeing patterns in passwords, trying them elsewhere and selling stolen credentials via the Dark Web. If this leads to work logins the payday can be even bigger.
iPhones use Apple’s own built-in password management feature called Keychain. This remembers the login details for different types of accounts. By default, the authorisation to view and edit these login details is controlled via Face ID. When Face ID fails the holder of the phone is prompted for the phone passcode. In this instance, a criminal with your passcode now has access to all the logins you have stored in Keychain.
Resolving this probably means quite a lot of time and effort moving your Keychain passwords to a more secure password management solution. We use a solution that gives our staff a free personal licence. In an area where personal and business security overlap, it benefits everyone to encourage good cyber security standards in both our private and working life.
TIP 6: Stop access to your Keychain passwords
Keychain is Apple’s own password manager, and it has a significant yet unavoidable security flaw.
If you try to access your passwords on your iPhone by going to Settings, and scrolling down to Passwords, it will first try to let you in using Face or Touch ID. If that fails twice, it will default to your phone passcode. This is of course an issue if your phone gets stolen and the thief also has your password. Not only do they then have access to your phone itself, but every single password that you have saved on it.
The issue with Apple’s Keychain password manager comes down to the fact there is no way to set a separate passcode, different from your phone passcode, to open it.
Having reviewed my own list of passwords, I have over 300 saved to Apple’s Keychain password manager. If my phone was to be stolen, thieves could have access to my email addresses, my social media, my online banking and so much more. Not only this but I even found multiple friends’ account information saved from when they have borrowed my phone, making this an even greater security concern.
I’m in the process of slowly moving my passwords to a dedicated password manager, which you should also seriously consider. With dedicated password managers you can setup various different measures to ensure the highest possible level of security, including Face or Touch ID, a unique password, Multi-Factor Authentication (MFA) and various other options that you can explore. You can also access it from anywhere, unlike Keychain which can only be accessed via an Apple device.
At The Final Step, we use Keeper as our password manager, which also comes with a free personal licence for every user, which is super handy, but there are many other free and paid options out there.
Whilst moving across your passwords to a dedicated password manager may be a daunting task, it’s definitely one worth doing. Start with your most important passwords, such as email, banking and social media passwords. If you have good password hygiene and your passwords are all unique and not duplicated elsewhere, then even if a thief gets access to your phone, they will not immediately have access to your most important accounts.
Once you’ve moved your passwords to a dedicated manager, remember to delete them from Keychain by clicking on an entry, scrolling to the bottom, and clicking Delete.
One of the first things a fraudster will do on your phone is attempt to siphon off as much money as possible using your financial apps
TIP 7: Protecting your financial apps
There are too many options for us to produce a video tip on all financial apps, but these are the things you should consider.
Do you need to have financial apps on your phone, or could you live with them on another, less mobile, less “at risk” device? If you do need them on your mobile, can you limit their use in a way that reduces your exposure to acceptable losses?
Any financial app or login you keep on your phone should require a unique, strong password different to your phone’s passcode. Ideally, access will only be granted through a combination of biometric and other requirements. Audit your financial apps, look at which ones are essential to keep and consider how strong their individual security settings are and apply them.
In particular, ensure your Face ID does not default to passcode entry for standalone apps, most notably banking and password management apps.
The other important area of mobile security to consider is: if your phone is stolen, have you given yourself the best chance to recover your identity and data?
Improving your ability to recover your data
There is an argument to be made that using iTunes to back up your iPhone is more secure than iCloud. However, most people use iCloud as it is convenient and automated and therefore is much more likely to have an up-to-date version of your data. Most of us don’t have the discipline to perform a regular manual backup often enough to make it a practical option. So, we’ll focus on setting up an iCloud backup.
TIP 8: Setup an iCloud backup on iPhone
Whilst this measure isn’t preventative, having a backup will give you the best chance of restoring your data on a new iPhone should you use one of the previous measures to erase the data on your stolen device.
Head to Settings, and then tap on your name at the top to access your Apple ID settings.
From here we’ll tap on iCloud. At the top, you can see how much iCloud storage you have in total. This will dictate whether or not you’ll have enough storage space for your device to regularly back up automatically, so make sure you keep an eye on this and make space or upgrade your plan to ensure backups can continue.
Now tap on iCloud backup. Now that we’re in this menu, make sure that “Back up this iPhone” at the top is enabled. You can choose whether or not to turn on “back up over mobile data” or not – you should carefully consider this option and only enable it if you have a large or unlimited data allowance.
Enabling “back up this iPhone” means that when connected to WiFi, and data if you select the second option, your iPhone will automatically back up. For me, this regularly occurs at night when I plug my phone in to charge.
At the bottom of this menu, you can review your backups, see which apps have been backed up, and have the option to delete and turn off backup, which we would not recommend.
When performing the initial setup on a new iPhone, you will be given the option to setup from a backup assigned to your Apple ID. You should consider this option only if your Apple ID was not compromised or was successfully restored after a theft.
|Apple’s Account Recovery process vs Recovery Key and protecting your Apple ID
Let’s imagine there is no crime, and you just forget your Apple ID password. You used to have to go through a process called Account Recovery. Apple asks for proof of identity to be sent, and they verify the request is from the genuine owner and not some conman. The process takes a long time and there is no guarantee they will accept your proof. Not a very satisfactory process for anyone.
In 2020, Apple introduced the Apple ID Recovery Key, a unique random 28-character code which Apple accepts as proof of ID much more quickly and allows you to recover your Apple ID. But don’t lose it, because if you do and you have lost your Account ID password, you have lost your account – permanently. Make sure you keep it secure in a standalone password manager like Keeper.
The two do not run side by side. If you setup a Recovery Key you no longer have the option to go through Apple’s Account Recovery process. Whilst the Recovery Key has its advantages, there are also some downsides. Thieves want to give themselves as much uninterrupted time and as full access as possible to your phone. They can use the Recovery Key against you to achieve those aims.
If you haven’t set a Recovery Key, a smart thief will set one to lock you out. If you have set one, they will try to reset it to one only they know to lock you out. If you do set a Recovery Key, it is important you also set a unique, strong screen time password to provide an extra layer of authentication to make it harder for them to access and reset your Recovery Key. A criminal resetting your Recovery Key is very bad news indeed.
TIP 9: Set a Recovery Key on your iPhone
A recovery key is a measure that can help you recover your data in the event of a theft, but there are many important factors and caveats you must consider before opting to setup a recovery key, which we will mention throughout this tip and in the accompanying commentary to this video.
Unlock your iPhone and head to settings.
Tap your Apple ID at the top. If you previously restricted access to your Apple ID via the screentime passcode in our previous video, then you will need to disable this momentarily to setup the recovery key feature.
Tap on password and security. And then scroll down until you see the setting for Account Recovery. Tap on this.
As the subtext shows, a recovery key is a 28-character code that you can use to recover your Apple ID if you lose access to your account. We highly recommend that you tap the “Learn more” button to read Apple’s article on the topic to decide whether or not you want to turn this feature on.
To turn it on, tap on the recovery key setting, and then enable the toggle. You will be shown an extra confirmation prompt with vital information. If you choose to turn on recovery key, this puts you in charge of recovering your account should you lose access to your passcode, and Apple will not be able to help you regain access to your account or your data.
Whilst this can ultimately be considered a good idea, there are factors you need to consider before turning this on. If you do not have a recovery key set up and lose access to your phone, you must go through the account recovery process with Apple, where they will hopefully be able to verify you as the owner of the device and the account. This can be a tedious process and may not always be successful.
If you turn on the recovery key, you are able to recover your data by yourself a lot quicker, but you must keep this code protected, ideally in a dedicated password manager such as Keeper, as you lose access to the Apple recovery process in doing so. Ultimately, if you lose your recovery key, you lose all chance of ever gaining access to your account and your data.
We recommend that this feature only be turned on in conjunction with the earlier screentime passcode feature that restricts access to your Apple ID, requiring a unique passcode to make changes. Without the screentime passcode feature set up, a thief can easily access your Apple ID settings and turn your recovery key off. Worse yet, they can then setup a new recovery key, giving you no chance of ever recovering your data.
Often, we take photos of important documents, just in case we lose the originals or to save us carrying them around. It’s handy to have your passport details, driving licence, NI number or other information to hand on your phone.
TIP 10: Delete photos and notes with
We recommend you delete all photos or notes with such information. Criminals use such personal information to steal your identity and act as if they were you. A thief can even use the search function in your Photos app to find these documents in a matter of seconds. If you must have them on your phone, some password management apps allow you to store identities and photos on their apps.
Remember to use an application that has a separate, unique and strong way of authenticating you, so a criminal cannot gain access to your password manager.
The problem of iPhone theft from a business perspective
All of the above is challenging enough for an individual. Unfortunately, it becomes even more complex when we consider the business use of mobile devices, where personal and business security overlap.
Let’s say you are a business that allows personal phones to access work systems and data. If that individual’s phone is stolen, you are relying more than you may be comfortable with on your employee’s personal awareness of and standards around mobile security.
On the other hand, if you are a business that provides staff with company iPhones, you may find staff associate that device with their personal Apple ID. When they leave you may struggle to transfer that iPhone to another employee, because as far as Apple is concerned it is a trusted device belonging to an individual. In effect, the company is locked out of its own device.
There is a balance to be struck between personal and corporate devices. Some people don’t want to carry yet another device and want to use their own for work. Others don’t want employers able to control or see anything personal and insist on a separate work device.
Whether you allow people to bring their own device (often referred to as BYOD), insist on issuing devices or a mix of the two, you need to agree on where the line is between personal and professional security with a written policy.
Because policies tend to slip from people’s memories and thieves are inventive, we strongly recommend you support your policy with MDM security software. This automatically enforces your policy on devices, separates work from private data and automates management. Can you imagine having to manually set up the above recommendations one iPhone at a time, and then repeat it all for Android devices?
If you don’t have MDM but want to beef up your mobile device security, email firstname.lastname@example.org to organise a demonstration of how it works.
Security is a journey, not a destination
If I do all of this, am I covered?
Sadly, no security checklist is exhaustive. We have focused on one type of criminal activity that is, as far as reports indicate, currently focused on iPhones because they are a rich target. That doesn’t mean that Android devices are immune or that even a locked iPhone is 100% secure. There are other security issues, for example:
- From a locked screen you may still have access to the Apple Wallet (but you can disallow such access when locked).
- If you have access to a phone, that often gives you access to Multi Factor Authentication (MFA), which would undermine one of our security layers.
- If you have access to a phone, you often have access to email, which is a primary way to reset passwords.
Developing a security-first mindset is about adding layers of protection to reduce the risks, staying alert as new threats emerge and taking appropriate action. We will do our best to update this page as the crime and protections against it evolve.
Whilst we have focused on iPhones it is important to realise that a lot of the settings above are Apple feature settings. Many can be set on an iPad or a MacBook for example. You need to add similar security layers to those devices. If you had all three items in a bag that was stolen, the criminals would focus on the one with the weakest security.
All of this may seem incredibly daunting, particularly for a business. You may be asking yourself if this crime is even the biggest risk you are facing. Such thoughts are understandable but can lead to complacency. If you are overwhelmed, the best way to take control is to conduct an overall security risk assessment. This identifies your biggest risks and options to mitigate them. Nobody has the money or time to plug all the security holes they face. So, you need a method to ensure your financial investment in security has the biggest impact and reduces the highest risks. Go here to find out more about how risk assessments help with peace of mind and targeted spending.
How to make colleagues aware and improve security
We can deliver this briefing to you and your team in the form of an interactive online Byte-size Security Awareness Briefing. We will also explain how work and personal security intersect and re-enforce the importance of having robust BYOD policies and procedures in place. It's an opportunity to introduce or remind people about your own policies.
Contact email@example.com if you are interested in such a briefing. Hopefully the resources listed above will help you if you want to create your own awareness training.