Mobile security can be a weak link for charities when it comes to both cybercrime and compliance, says Alistair Millar of Altodigital
Mobile working has become a way of life for many charities - so much so that it’s difficult to remember all the fuss surrounding the whole Bring Your Own Device (BYOD) issue. At the time, those who decided on a BYOD policy took measures to counteract the risks of allowing remote access to company data from employee devices. For example, they strengthened their firewalls and introduced tiered systems of mobile access.
As a result, many businesses felt even stronger than ever – invincible even. However, in reality the number of security breaches continued to rise.
High profile victims such as Uber, which recently revealed being hacked late 2016, exposing the personal information of 57 million customers and drivers, the credit rating company Equifax and Yahoo have contributed to the shock headlines by admitting their own breaches and showing that nobody is immune.
Even Deloitte, the multinational professional services firm, suffered a humiliating security attack in September this year. It came to light that the company wasn’t using two-factor authentication which was surprising as Deloitte was once named as ‘the best cybersecurity consultant in the world’.
A real leveller
It seems cybercrime is a real leveller. Earlier in 2017, the UK government released the results of a cybersecurity survey
which revealed that seven in ten large businesses had identified a breach or attack. It added that charities need to do more to protect themselves from cybercrime
This is not to say that mobile access has been responsible for all these breaches. However, cyber criminals will always find the weakest links. Today, mobile devices are increasingly under attack. In fact, in a study for Check Point software, 20% of companies polled said their mobile devices had been breached and nearly all (94%) expected the frequency of mobile attacks to increase.
The problem is similar to all security weaknesses. The more secure and robust the mobile operators make their systems, the smarter the criminals become in creating malware to penetrate them – with spyware becoming equally sophisticated.
Mobile apps are another target, especially those which enable users to store personal details. Increasingly these are being used by workers in the field such as insurance risk assessors, sales reps and customer service agents. They can store significant amounts of data – often customer information and personal details – and are extremely vulnerable to hackers.
At the same time, many charities are also migrating their data to the cloud and bringing a whole new set of concerns. They need to ensure that their security is at least mirrored by that of their cloud provider. If a company is using cloud services, they are themselves still liable for the security of any data forwarded to those services.
All these issues are currently coming to a head as the deadline for compliance with the new General Data Protection Regulations (GDPR) in May 2018 comes closer. Now organisations face being hit from two sides – the hackers and the regulators. With the promise of severe penalties of up to £20m, it’s difficult to know which is the greater threat. Gartner appears to agree, noting that, “by 2019, 30% of organisations will face significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements
to protect personal data on mobile devices.”
Point of no return
Yet, we’ve come down the road of no return when it comes to remote and mobile working. To deny employees access to corporate data when out of the office could be akin to surrendering to the competitors, so great are the productivity gains.
So how can businesses – and especially small businesses without a huge IT department – exercise ‘due diligence’ and protect their data to the required levels? As I see it, there are four main areas to consider:
1. Is security housekeeping up to date?
Updating patches regularly would have negated many of the problems associated with the recent WannaCry ransomware attack
. Easier said than done for many hard pressed small businesses where patching can be seen as a hassle. However, making sure the latest anti-virus and anti-malware software is in place and firewalls and gateways are up to date is a vital first step to protecting data.
2. Protect against data leakages
A mobile security strategy should be developed. This should include who can access what, a policy on mobile apps and storage of confidential company details – not just on mobile phones, but also on laptops, tablets and USB sticks which can be easily mislaid.
Education is key here. For example, some people like to save work in multiple locations to ensure accessibility and to know there is a back-up. But this doubles or trebles even the vulnerable spots. If the laptop is left on a train, it could fall prey to anyone with the basic skills needed to break into it. Any file sharing applications used could also be compromised.
Employees should be made aware of potential security threats and be responsible for ensuring passwords are strong and they carefully manage and protect both their own personal data and the company information entrusted to them.
Businesses should protect other potential weak spots such as mobile printing. If documents are sent to print from a mobile phone to an office, they can easily then get into the wrong hands. They should ensure to use printers that hold documents until a user enters the right PIN code or other authentication and use encryption.
3. Put the right authentication processes in place
Adaptive authentication based on certain parameters can ensure that while employees have easy access to low risk data, a company’s confidential information is kept safe and only access by those with the right authority and trust.
This may mean that access to some parts of the network require only a single password, whereas reaching HR data, for instance, requires two-factor user authentication and a digital certificate, even for the same user.
4. Security at every point
An increasing number of organisations are implementing several layers of mobile security to plug every vulnerability. This can include mobile device management, mobile application management as well as anti-malware and anti-ransomware.
There’s no one size fits all here, just a policy of adding protection at any weak point.
At the same time, all these measures can’t prevent the mobile worker from doing their job as efficiently and productively as possible – otherwise all the advantages of mobile working will be lost. It’s a balance between benefits and responsibilities and only those who get it right will win out in the end.