The technological revolution that has taken place over the last few decades has seen the business computing and consumer sectors develop in tandem. There is now growing evidence that they may now be on a collision course as the “always-on” demands of the consumer market conflict with the cybersecurity needs of businesses.
Organizations, particularly those with a bring-your-own-devices-to-work (BYOD) policy, need to take into account the social networking habits of younger staff members if they wish to prevent their corporate networks being compromised.
People born between the early 1980s and the early 2000s, the generation sometimes referred to as “millennials”, have grown up in the digital age and many use their smartphones at work, at rest and at play. According to PwC, by 2020, half the workforce will be millennials.
In delivering its 1990s dream of anything, anywhere, anytime, the IT industry has created mass consumer devices designed for professional as well as personal use. The more functions handheld devices can perform, the more potential security breaches appear.
The danger is that firms employing BYOD policies will inadvertently create a “shadow” IT universe formed by employees downloading applications and services from untrusted sources and which run independent of any in-house cyber safeguards. Encryption of sensitive data can only be seen as a partial safeguard since malware can still be transmitted from an unknown source even when communications are encrypted. Unknown twitter links, malicious apps, compromised wi-fi hotspots and a host of other threats now lie beyond the control or even awareness of the IT manager.
The uploading of corporate ransomware is becoming an increasingly profitable business with organised criminal gangs (OCGs), terrorist groups and even nation states extorting billions from Western companies. For example, according to BAE Systems, a North Korea-linked cybercrime ring Lazarus, suspected of raiding Bangladesh’s central bank last year may also have been responsible for the recent theft of US$60 million from a Taiwanese bank.
In order protect themselves, the first step companies must take is to compile a comprehensive inventory of all the devices connecting to the corporate network. Where possible, external allocations and services should be replaced with in-house secured versions of similar software. Failure to regain control of this “shadow” IT universe will cost some firms dear.
At the same time, there is widespread misconception among users and the organizations many of them work for that smartphones are somehow more secure than PCs when the reverse is true.
A vulnerable operating system represents a very real threat to corporate security when staff store not only personal identifiable information (PII) but also work-related credentials on their smartphones. NATO, for example, recently admitted that there had been a series of attempts aimed at hijacking soldiers’ smartphones to monitor troop movements.
Android’s great rival, the Apple OS, is also rapidly introducing weaknesses as the Cupertino-based manufacturer packs ever more features and functions into its smartphones. Apple iOS 11 has a control center with a switch to turn off Bluetooth and wifi but according to recent reports, phones running the new OS still connect to wifi and Bluetooth, even after the user has turned those functions off. This is thought to be a result of Apple’s assertions that constant connectivity is essential for features such as AirDrop and AirPlay.
The Apple iOS 11 also introduced the ability to use the device’s camera to natively scan Quick Response (QR) codes on Apple devices without the need for third-party applications, meaning that users are effectively only one tap away from uploading nefarious content. QR codes interacting with the calendar, map, phone and browser are performed immediately after the initial tap of the QR notification.
Recent vulnerabilities such as those inherent in Apple iOS 11 are in addition to existing smartphone vulnerabilities. These include hackers gaining access to a phone’s camera and microphone to spy upon the user even when the phone is turned off. Nor are most smartphone users fully aware of the risks they run when connecting mobile devices to untrusted wifi networks in public places. Business travelers run a particularly high risk of a “man-in-the-middle” attack where a threat actor uses technology now widely available online to spy on communications taking place across a wifi network in locations such as a hotel lobby or an airport.
With a rapidly-growing number of devices and household appliances now being connected to the internet, smartphones used for both leisure and business are increasingly in danger of being compromised by malware from a whole new range of sources.
Given the broadening threat landscape now confronting smartphone users, companies which either have a BYOD policy or allow staff to use company smartphones for personal use should urgently review their security protocols.
If staff are to be allowed to continue using smartphones for company and personal communications, then a decision must be made concerning which functions and apps they are permitted to deploy alongside critical corporate data.