New study: Defending mobile devices for high level officials and decision-makers

The NATO Cooperative Cyber Defence Centre of Excellence is proud to publish new analysis on security risks use of smartphones by decision-makers poses. The study outlines the risks and ways of mitigating them.

Defending mobile devices for high level officials and decision-makers

Smartphones are an inevitable presence in everyday life. High-level officials and decision-makers use mobile devices to handle and store sensitive information that should be protected as well as possible.

However, those mobile devices are fundamentally unsecurable – it is impossible to have absolutely secure systems, even if users follow security policies. In addition to possibly poor cyber hygiene, such as free games that use malicious advertisements or inadequate settings in social network services, mobile devices can often be compromised without the user’s knowledge. This could lead to disclosure of personal information or sensitive data with dire political and national consequences. Additionally, offensive campaigns can be staged against decision-makers through compromised mobile devices that can have detrimental effects. 

This study describes and analyses threats and risks related to mobile device usage scenarios and presents countermeasures and mitigation mechanisms for them. This is done by analysing several public documents including security guidelines, checklists, security controls, presenting features of existing products (such as secure smart phones) and work of security researchers. In addition to these, new countermeasures and recommendations are presented.

The reader should be aware that there is no single rule to follow and no single security countermeasure that would mitigate all the risks related to mobile devices. Several risk mitigation techniques exists, and by combining them, the security of the whole system increases.

The detailed recommendations presented in this study include, but are not limited to:

  • Improving  user security awareness;

  • Reinforcing security policies;

  • Strong authentication;

  • Monitoring accesses and behaviour of users and devices;

  • Encrypt media and communication.

The full report can be accessed through