[BreachExchange] Between the hackers and the regulators

Audrey McNeil audrey at riskbasedsecurity.com
Thu Dec 21 18:53:42 EST 2017


https://www.charitydigitalnews.co.uk/2017/12/21/between-the-hackers-and-
the-regulators/

Mobile working has become a way of life for many charities – so much so
that it’s difficult to remember all the fuss surrounding the whole Bring
Your Own Device (BYOD) issue. At the time, those who decided on a BYOD
policy took measures to counteract the risks of allowing remote access to
company data from employee devices. For example, they strengthened their
firewalls and introduced tiered systems of mobile access.

As a result, many businesses felt even stronger than ever – invincible
even. However, in reality the number of security breaches continued to rise.

High profile victims such as Uber, which recently revealed being hacked
late 2016, exposing the personal information of 57 million customers and
drivers, the credit rating company Equifax and Yahoo have contributed to
the shock headlines by admitting their own breaches and showing that nobody
is immune.

Even Deloitte, the multinational professional services firm, suffered a
humiliating security attack in September this year. It came to light that
the company wasn’t using two-factor authentication which was surprising as
Deloitte was once named as ‘the best cybersecurity consultant in the world’.

 A real leveller

It seems cybercrime is a real leveller. Earlier in 2017, the UK government
released the results of a cybersecurity survey which revealed that seven in
ten large businesses had identified a breach or attack. It added that
charities need to do more to protect themselves from cybercrime.

This is not to say that mobile access has been responsible for all these
breaches. However, cyber criminals will always find the weakest links.
Today, mobile devices are increasingly under attack. In fact, in a study
for Check Point software, 20% of companies polled said their mobile devices
had been breached and nearly all (94%) expected the frequency of mobile
attacks to increase.

The problem is similar to all security weaknesses. The more secure and
robust the mobile operators make their systems, the smarter the criminals
become in creating malware to penetrate them – with spyware becoming
equally sophisticated.

Mobile apps are another target, especially those which enable users to
store personal details. Increasingly these are being used by workers in the
field such as insurance risk assessors, sales reps and customer service
agents. They can store significant amounts of data – often customer
information and personal details – and are extremely vulnerable to hackers.

At the same time, many charities are also migrating their data to the cloud
and bringing a whole new set of concerns. They need to ensure that their
security is at least mirrored by that of their cloud provider. If a company
is using cloud services, they are themselves still liable for the security
of any data forwarded to those services.

All these issues are currently coming to a head as the deadline for
compliance with the new General Data Protection Regulations (GDPR) in May
2018 comes closer. Now organisations face being hit from two sides – the
hackers and the regulators. With the promise of severe penalties of up to
£20m, it’s difficult to know which is the greater threat. Gartner appears
to agree, noting that, “by 2019, 30% of organisations will face significant
financial exposure from regulatory bodies due to their failure to comply
with GDPR requirements to protect personal data on mobile devices.”



Point of no return

Yet, we’ve come down the road of no return when it comes to remote and
mobile working. To deny employees access to corporate data when out of the
office could be akin to surrendering to the competitors, so great are the
productivity gains.

So how can businesses – and especially small businesses without a huge IT
department – exercise ‘due diligence’ and protect their data to the
required levels? As I see it, there are four main areas to consider:

1. Is security housekeeping up to date?

Updating patches regularly would have negated many of the problems
associated with the recent WannaCry ransomware attack. Easier said than
done for many hard pressed small businesses where patching can be seen as a
hassle. However, making sure the latest anti-virus and anti-malware
software is in place and firewalls and gateways are up to date is a vital
first step to protecting data.

2. Protect against data leakages

A mobile security strategy should be developed. This should include who can
access what, a policy on mobile apps and storage of confidential company
details – not just on mobile phones, but also on laptops, tablets and USB
sticks which can be easily mislaid.

Education is key here. For example, some people like to save work in
multiple locations to ensure accessibility and to know there is a back-up.
But this doubles or trebles even the vulnerable spots. If the laptop is
left on a train, it could fall prey to anyone with the basic skills needed
to break into it. Any file sharing applications used could also be
compromised.

Employees should be made aware of potential security threats and be
responsible for ensuring passwords are strong and they carefully manage and
protect both their own personal data and the company information entrusted
to them.

Businesses should protect other potential weak spots such as mobile
printing. If documents are sent to print from a mobile phone to an office,
they can easily then get into the wrong hands. They should ensure to use
printers that hold documents until a user enters the right PIN code or
other authentication and use encryption.

3. Put the right authentication processes in place

Adaptive authentication based on certain parameters can ensure that while
employees have easy access to low risk data, a company’s confidential
information is kept safe and only access by those with the right authority
and trust.

This may mean that access to some parts of the network require only a
single password, whereas reaching HR data, for instance, requires
two-factor user authentication and a digital certificate, even for the same
user.

4. Security at every point

An increasing number of organisations are implementing several layers of
mobile security to plug every vulnerability. This can include mobile device
management, mobile application management as well as anti-malware and
anti-ransomware.

There’s no one size fits all here, just a policy of adding protection at
any weak point.

At the same time, all these measures can’t prevent the mobile worker from
doing their job as efficiently and productively as possible – otherwise all
the advantages of mobile working will be lost. It’s a balance between
benefits and responsibilities and only those who get it right will win out
in the end.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171221/4b16e1f1/attachment.html>


More information about the BreachExchange mailing list