Protecting Mobile Devices
On This Page:
Why Should You Protect Your Mobile Device?
Mobile devices such as tablets, e-readers, and smartphones can store important business and personal information, and are often used to access university systems, email, banking information, and work and personal accounts. When this is the case, they need to be protected like any other computer. Every day, mobile devices are lost, stolen, and infected.
All devices connecting to UC Santa Cruz’s network or services must meet UC and UCSC security requirements. Most importantly:
- Don’t work with sensitive UCSC information on a mobile device unless you can ensure the device meets UCSC’s security requirements.
- P3-P4 data stored on mobile devices must be encrypted. This includes email, text messages, instant messages, documents, removable storage cards/devices, etc. Electronic protected health information (ePHI or "HIPAA data") must be encrypted on portable devices and may not be stored on non-university devices.
- Keep all stored passwords in an encrypted password manager. Avoid using auto-complete features that remember usernames or passwords.
- Make sure you have a secure (encrypted) connection before working with sensitive data. Use known, encrypted networks, such as UCSC’s eduroam Secure Wireless and Campus Virtual Private Network (VPN), which are available to UCSC students, researchers, faculty, and staff.
How Do You Protect Your Mobile Device?
A good rule of thumb is not to store anything you're not willing to lose or do not want to share with the world on a mobile device. That said, the following steps can help protect information on your mobile device:
- Keep your mobile device with you or lock it up securely before you step away -- even just for a second. See Physical Security for more information.
- Don't store sensitive information. Encrypt your device or sensitive contents if you do.
- Password-protect your mobile device with a complex password, and be sure your device requires a password to start up or resume activity.
- Run current versions of the operating system and applications. Remember to sync often so you get available updates. Always install updates when your carrier tells you they are available.
- Beware of scams. Don't open files, click links, or call numbers in unsolicited emails, text messages, or instant messages (IMs).
- Securely delete all contents before discarding, exchanging, selling or donating the device.
Some additional steps may require configuration/setting changes:
- Set your device to automatically lock after a short period of inactivity.
- Activate your device’s built-in firewall or access control functionality. Default settings are typically acceptable for most people.
- Disable or remove applications (apps) and plug-ins that you don't actively use.
- Disable Bluetooth, wireless, and Infrared Data Association (IrDA) when you're not actively using them.
- Turn off GPS and geotagging when you're not actively using them. These can allow your location to be tracked without your knowledge.
- Set devices to “ask” before joining new wireless networks. Periodically go through your device's list of known wireless networks and delete ones no longer needed (usually found under network, wireless, or airport settings)
- Set your device’s browser to block pop-ups. For added privacy, also set the browser to limit the cookies it accepts.
- Set your device to erase itself after repeated failed log-on attempts.
- Display a "call if found" phone number on your lock screen.
Additional browser security recommendations are available at Web Browser Secure Settings, though not all features are available on mobile browsers.
For customized advice on how to protect your mobile device, see the Smartphone Security Checker from the Federal Communications Commission (FCC).
What Should You Do If Your Mobile Device is Stolen?
If your mobile device is stolen, it is most important to:
- Report the loss or theft of devices used for work to the ITS Support Center so they can help identify and address potential compromised accounts or data, including compromised P3 or P4 sensitive data, which requires additional action on the part of the university.
- Review the “Checklist for Lost or Stolen Mobile Devices” on the Report a Security Incident page.
It is also important to consider the following:
- What stored data was stolen (both work and non-work)?
- What stored passwords were stolen?
- Do they have your 2-step authentication (MFA) codes?
- What other accounts and services might have been compromised? (credit cards, bank accounts, work accounts, Dropbox, Facebook, etc.)
- Did you lose your only copy of anything important?
Get Help
If you have questions, contact the ITS Support Center or your ITS Divisional Liaison.