Mobile Security

Apple's New 6-Digit Passcodes: What Do They Mean for Your BYOD Policy?

  • ---Shares

Apple’s release of iOS 9 last month has done us all a tremendous public service: It's brought mobile security into the spotlight for small businesses.

Related: 11 Tips to Secure Mobile Devices and Client Data

This new and latest version of the operating system expands the iOS default pass-code lock setting from a four-digit to six-digit PIN. That's an especially big plus for businesses with a "bring your own device" (BYOD) policy, allowing employees to work on their personal laptops, smartphones and tablets.

A six-digit PIN, in essence, makes it dramatically more difficult for potential attackers to crack devices. By expanding the default length of a passcode by just two digits, the number of potential entry combinations increases from just 10,000 to one million.

But beyond this welcome increase in protection for users of iPhones, the iOS9 move has prompted many businesses to begin questioning how they address mobile device security overall. New research from IBM Security found that a vast majority of businesses today don't sufficiently secure their employees’ devices with even the most rudimentary of features.

The findings reveal that among those businesses that currently enforce passcode use on employee mobile devices at all, 87 percent require only a numeric PIN. Of those companies, 79 percent mandate the bare minimum: a four-to-five-digit numeric passcode that takes just 18 minutes for sophisticated cybercriminals to crack, according to the iOS Hacker's Handbook.

A six-digital alphanumeric passcode, by comparison, might take the most skilled hacker up to 196 years to infiltrate.

This minimalist attitude toward mobile security among most mobile users and their employers has continued despite the growing value of company records: The average cost of a lost or stolen record containing sensitive and confidential information increased this year to $154 -- reflecting the rising threat from cybercriminals looking to capitalize on mobile as an attack vector.

Apple’s move, however, could be the catalyst needed to bring mobile security into focus, especially for small businesses that simply cannot afford costly data breaches. Considering that the BYOD phenomenon has reached its prominence largely due to the simplicity, flexibility and convenience that mobile provides, it’s incredibly encouraging that as the security of devices evolves, the tech industry is making it simpler for users to better protect themselves, through such innovations as touch authentication.

Making security strong yet simple is critical to an effective defense against cybercrime. A recent Ponemon Institute study found that many workers don’t understand the risk that an insecure mobile devices poses for their employers, prompting them to look for workarounds. Millennials, in particular -- who by 2020 will make up approximately 50 percent of the U.S. workforce -- have grown up in a world where technology is at their fingertips, and if extra steps for protection prove to be a hassle, millenials are going to reject them, or find a way to circumvent them.

In fact, the younger generation's comfort with mobile and social can lead them to take unnecessary risks, such as downloading new, unvetted apps, and connecting to hot spots. A recent survey found that 56 percent of millennials were fine with downloading apps without reading permissions. This is a scary realization, considering that IBM recently found that nearly 40 percent of companies that issue mobile applications for customers aren’t properly securing them. This leaves open tremendous windows of opportunities for hackers.

Related: Mobile app security firm Wegilant raises $500K from Ravi Gururaj, other angel investors

Apple’s latest security features are the first step on the path toward shutting down mobile attacks, but device-level security is only the start of the conversation. While the move to six digit passcodes will spur nearly 80 percent of companies to update their BYOD policies, it will also open the door for organizations -- small businesses, especially -- to begin thinking more deeply about how to best protect and manage data on mobile devices. This entails use across the entire transmission path: from device to network to application and beyond.

The key to successful implementation will be to collaboratively develop employee-focused security policies that can account for the evolving mobile technology and threat landscape. To get started, here are three best practices to consider:

  1. Many employees don’t understand the risks of using unsecured mobile devices and apps, nor are they trained on mobile security in the workplace. Communicating this information is key.
  2. Regardless of their generation, industry or job, the vast majority of people want to balance ease of use with secure protection of their data. Require passcodes for employee mobile devices, but also ensure that they can employ easy-to-use technology, such as touch authentication (if available) which will keep devices secure without sacrificing convenience.
  3. Investigate ways to strengthen the security of data on mobile devices, and use technology to your benefit via tools that can scan apps, detect malicious apps/malware and then take action if needed.

Overall, flexibility is key to accomplishing mobile security goals. Offering employees the freedom and flexibility they crave with their mobile usage should be a priority -- as long as it’s done securely enough to help protect against the world's increasingly large and dangerous networks of hackers. 

Related: Our Collective Mobile Security Blind Spot