8 best practice tips for mobile security and IoT use

The Apple FaceTime bug, discovered at the end of January and patched on February 7, showed us another risk to our privacy and the security of our data. It also shined a light on two security awareness campaign topics every organization should consider – mobile security and Internet of Things.

To recap, the Apple FaceTime bug opened up the potential for eavesdropping on an unsuspecting person using the Group FaceTime application. Apple shut down the Group FaceTime function prior to issuing a patch for the bug on February 7.

Risks increase with how much connectivity and integration you have across devices and applications. This applies at home and in the workplace, where digital assistants (Alexa, Google, Siri, etc.) are growing in use to boost collaboration and productivity, schedule reminders and meetings and generally automate and simplify daily work tasks. Risks escalate in an office environment where confidential information, such as finances or business strategy and product plans, are regularly discussed in meetings where cell phones or digital assistants are present in the room.

“We want to embrace technology and reap the benefits it offers, but we have to do it responsibly and understand the risks that accompany various devices and services,” said Theo Zafirakos, Chief Information Security Officer and CISO Coach, at Terranova Security. “Adding a campaign on mobile and IoT devices to a security awareness program helps employees understand the associated risks and educates them on how to exercise due diligence and use best practices.”

Best practices for mobile security and IoT use

We live in a world that’s becoming more digitally connected by the minute. We also share more information – personal and professional – across those digital connections. As you think about your next cyber security awareness campaign, consider a focus on mobile and IoT risks and the best practices to limit those risks.

Always apply operating system updates and patches when available. Unpatched and non-current systems are the cause of serious vulnerabilities. For example, companies like Equifax suffered a devastating attack because it failed to patch a vulnerability in the Apache Struts framework and suffered a breach of more than 146 million customer records.

Monitor your command log to see if there was any unauthorized activity or transactions. Just like you monitor your credit card statements for unusual or unknown transactions, monitor your devices for activity you don’t recognize.

Minimize location access and think before you share information. We readily share a lot of information online, across devices and within social networks. That data can be used in spear phishing campaigns or other social engineering attacks. Assess what you’re sharing and with whom to determine if you’re over-sharing data that isn’t required.

For any IoT device, such as a Nest Cam, change the administrative password for the device. Administrative passwords are easily hacked, with many default passwords for devices found online. In fact, the issue is so serious, the State of California has passed a law requiring “unique, secure passwords for all devices sold in the state that come with pre-programmed passwords by 2020.”

Turn off or unplug your device when not using. There’s no way to eavesdrop or secretly gather information when a device isn’t operating. When possible, unplug cameras, digital assistants and smart TVs.

Lock down non-essential features of corporate-issued mobile devices Today’s mobile devices come pre-loaded with plenty of functionality your employees may not need. Similar to issuing a computer, only allow access to what features and applications are required for their roles and to get their jobs done.

Don’t use your mobile or IoT device for communicating sensitive data. Think about how you discuss personal, private and sensitive information. Some topics are not meant to be discussed in public settings and that could extend to the devices present or used during those conversations.

Don’t install digital assistants where you are working – at home or in the office. If you can’t turn off or unplug your digital assistant (or you don’t want to), don’t place them in the room where have work-related phone calls and or meetings. These devices, however useful they may be, also are still early in their development. More than one has shared personal information with the wrong people. Ultimately it comes down to risk. Base your use of personal digital assistants on the risk you’re willing to take.


The rate of change in technology is moving faster than security can keep up. Despite all attempts to build security in from the beginning, there are bad actors looking for ways around, over and through the defenses put in place to protect private information and personal data.

By making sure your employees are security aware and have the education needed to use best practices and recognize scams, you’re on your way to a safer work environment using the latest productivity technology.

Tips from a Security Awareness Coach

What can organizations do to protect themselves and their employees from the risk associated with mobile devices?

  • Incorporate security awareness training of mobiles devices and IoT into your awareness program
  • When providing new mobile devices to your employees take the opportunity to communicate best practices
  • Leverage the latest events affecting mobile devices to create relevant and timely phishing simulation scenarios
  • Lock down when possible non-required features of corporate mobile devices
  • Establish an internal policy on the use of digital assistants and IoT in the workplace and inform your employees


Security Awareness Training Reduces the Risk of a Cyber Attack.

social engineering

Learn more about setting up a security awareness program and educating your staff on cyber security best practices. Download this infographic about the Security Awareness 5 Steps Framework.