Are Your Employees’ Old Phone Numbers Creating Vulnerabilities?


In the last hour, I’ve used my phone to take pictures of my teenagers, spy on my dogs while I was out of the house, pay my electric bill and watch a funny video. Then, while buying some new dish towels (yet another use), I used my phone as an identity document without even realizing it — and I may have increased my cell phone security risk at the same time.

Why Cell Phone Security Matters at Work

Because I forgot my password to the online store, I had to reset my password. When they sent a code to my cell phone for multifactor authentication, I clicked on the link without a second thought. I clicked on it and went on my merry way to buy the new towels. While I’ve been a long-time fan of two-factor authentication because research shows it reduces attacks, especially credentials and brute force attacks, I recently learned that the process has some downsides. By clicking on the link, I used my phone to verify my identity. That allowed the company to tie my phone to the account, which creates a risk.

As long as I don’t change my phone number, it’s not much of an issue. But if I do change my number, it will eventually be assigned to someone else. That someone could take over my accounts. A recent study by Princeton University found that 100 of the 259 phone numbers they tested had linked login credentials on the internet, and that mobile carriers have weaknesses that make recycled numbers vulnerable. You may think that you’d eliminate the risk by wiping your old cell phone free of data. However, you also have to delete the phone number from all the websites that are connected to it. Those could number in the hundreds.

How Abandoned Numbers Increase Risk

Reading the recent study made me start thinking about cell phone security, and specifically the risk abandoned cell phone numbers cause businesses. Any time an employee accesses the network or a business-related account from their mobile phone, their phone becomes an identity document. If an employee accessed their email, a criminal now has access to their email server. They might even have access to all customer information, if the employee updated the company customer relationship management software from their phone. Or, imagine if the employee used their phone to access a corporate account on a retail site. Now, a cyber criminal can go shopping on the company dime. Or worse, steal any credit card information that’s saved.

Why Change Phone Numbers?

When I first read about this vulnerability, I brushed it off. Most people don’t change their phone numbers very often. I’ve had the same number for 13 years and plan to have it for the rest of my life. The prospect of changing it after all these years would be a major headache. But I realized that there are some very valid reasons that people change their phone numbers, including:

  • Divorce
  • Being stalked or harassed
  • Leaving a job where the phone number belonged to their employer.

The expected long-term increase in remote working changed everything. Employees are likely to use their personal mobile phones for business more often than they did before the pandemic. That increases many different types of cybersecurity risks for companies. Businesses need to address this cell phone security issue and create a plan for reducing their risk. It may be tempting to say employees must only use work phones to access sensitive data. But, all your employees are not likely to comply. The better route is to figure out a way that works for your employees and keeps your organization safer.

Reducing Cell Phone Security Risks From Discarded Numbers

The issue gets sticky since the employee is using their own mobile phone. You have a bit more control if you pay a portion or all of their cell phone bill or have a bring-your-own-device (BYOD) security policy. While you cannot totally eliminate the risk, here are some ways you can reduce your risk. They’ll at least have a better picture of it, in terms of abandoned phone numbers:

  1. Know who is using personal phones to access work accounts. You are at the highest risk when you don’t have a full picture of possible vulnerabilities. It’s almost certain that your risk has increased in this area since the pandemic began. You can’t know for sure until you gather the data. Require each employee to report what devices they use to access business-related servers and accounts. Make sure employees know they aren’t going to be in trouble for doing this. You just need to know how they are accessing what they need for work so the business can protect itself.
  2. Update your BYOD policy to include abandoning phone numbers. If you don’t yet have a BYOD policy, creating one should be your first priority. If you have a BYOD policy in place, update it with any changes that make sense based on your post-pandemic work arrangement. This is especially important if you allow a permanent fully remote or hybrid work environment. Be sure to include a requirement that employees notify the company if they are abandoning a phone number they used to access business accounts. Your cybersecurity team can meet with employees as appropriate. From there, they can evaluate the risks each employee’s phone may incur and decide the best plan to mitigate the risks.
  3. Make sure corporate-owned phone numbers are only recycled internally. If some employees are using phones your business owns, you have control over what happens with them. Because the risk forms when someone outside the company obtains those phone numbers, make sure you don’t abandon those numbers. Instead, reassign them to the next person who needs a corporate phone number.  
  4. Park the phone number. You can also pay an outside service a few dollars a month to keep the number active. That way, the carrier cannot assign it to another person or business. While this works pretty easily for corporate phone numbers, you can also offer to pay for this service for employees who are changing their personal phone numbers.
  5. Provide corporate phones for high-risk employees. If you have employees who regularly access accounts that are high-risk, such as ordering from retail sites, consider purchasing corporate phones specifically for their use. This tactic should only be used in rare situations, since most employees’ phones can be kept secure using mobile device management and other protections.

Cybersecurity often involves balancing security with productivity, which is especially true when it comes to cellphone security. You want employees to be able to work from wherever they need to, but also keep your company’s data and infrastructure secure. By taking the time to understand and prevent risks from abandoned numbers, you can reduce your vulnerabilities and risk.

The post Are Your Employees’ Old Phone Numbers Creating Vulnerabilities? appeared first on Security Intelligence.