- Security TWENTY
- Women in Security Awards
The increase in the number of high-quality Wi-Fi connections has made it easier to work from anywhere. Even just a few years ago, the fixed desktop with an Internet connection was still the norm. Today, various mobile devices enable company staff to work in different locations so they no longer need a permanent desk. Mobile staff can share data with their coworkers – but this process needs to be secure, writes Mark Edge, UK country manager at Brainloop.
The physical location is not the only aspect of work that is becoming more flexible. Bring Your Own Device (BYOD) is standard practice in many areas today. Staff can work on the devices they are familiar with – meaning that personal laptops, tablets and smartphones will need to be integrated into the corporate network. However, this brings a security risk with it, as each employee may be working with company data on their own personal device. These devices may have security vulnerabilities that enable unauthorised people to access the data – or even the corporate network.
Despite this, it is possible for staff to work securely with their own devices. First, the company should clarify the legal questions, such as the extent to which its employees are allowed to access internal network services and whether they can work with and save company data on their devices. The firm may also want to enforce technical security measures. In these cases, it needs to ensure security wherever the data is being used and stored, and secure the data transmission itself. For example, a company could stipulate that the only devices permitted are those that access the internal network using a secured VPN connection and that hard disks are encrypted. It could also limit access to certain services. Users’ devices would then act as a terminal for a trustworthy cloud application that provides staff with a secure data room.
Practical but non-secure apps
A particularly sensitive point is the use of the mobile apps that are in widespread use on smartphones and tablets. Many of the free, business-oriented storage applications advertise the fact that they offer modern file management with a generous amount of storage space that centralises documents in the cloud. There are also so-called productivity apps that let users sketch out ideas, collect information and make notes that can be shared and worked on with coworkers. But how secure are these cloud applications? Who has access to the data stored on the cloud servers? Is the data transmission secure between the cloud computer and the mobile device? And does the app only use the data it really needs?
These questions are justified, as recent research results show. Researchers at the Fraunhofer Institute for Secure Information Technology (SIT) found that three-quarters of the most popular business apps do not meet companies’ security requirements. And IT specialists at Germany’s University of Bremen found out that many apps require more permissions than they need. When researchers at the Fraunhofer AIESEC institute tested 10,000 of the most popular Android apps, they found that 91 per cent require permission to connect to the Internet without the user being told why. Most of the apps tested sent personal data to servers around the world as soon as the app was started and without asking the user. The researchers were also surprised to note that two-thirds of the apps sent the data in unencrypted form.
So what can companies and users do to control this unwanted data leakage from mobile apps? A new study by DIVSI (the German Institute for Trust and Security on the Internet) examined the four main mobile operating systems. It concluded that apps running on a standard Android operating system have the most flexibility in terms of accessing data, whereas with iOS and BlackBerry users can withdraw access permissions from the apps and reinstate them later as required. Android and Windows do not offer this option.
These limited control options show that companies operating a BYOD strategy must make it a priority to provide staff with a secure collaboration and communication tool.
The risk of data misuse is not trivial. A new, representative survey on industrial espionage by the management consulting firm Corporate Trust estimates the losses to German business at 11.8 billion euros per year. Two years ago, the estimated figure was only a third of what it is now. “We’re probably already in Cybergeddon,” says the study leader Christian Schaaf. “We can only hope that companies react soon and implement the appropriate security measures.”
No less than half the 6,800 companies surveyed said they had been victims of hacker attacks on their systems. And 41 per cent had discovered interceptions or eavesdropping on their electronic communications. The third greatest risk at 38 per cent was customers or partners asking staff leading questions to extract information, and at fourth place with 33 per cent came data stolen by companies’ own staff. Innovative midsized companies are the worst affected of all – yet mid-market firms have limited awareness of the risks and few of them implement an effective protection strategy. Some companies are starting to react by separating private and business use within mobile apps. That’s an important step but is not sufficient to protect documents.
Information security is available in the cloud as elsewhere, but it requires the implementation of a series of measures. In view of the precarious situation, it is important for companies to make their staff aware of the risks and provide them with secure applications. Employees should never be tempted to find a time-saving or more practical workaround – such as quickly sharing a document on popular but non-secure applications. This means that the security tools their companies provide must meet all important usability criteria for convenience and flexibility as well as security and reliability.
Chief information security officers (CISOs) and data protection managers should focus on the following areas when looking at how people should work with business-critical data:
The cloud application should be flexible and easy to use, support a variety of user devices, and integrate seamlessly in the company’s existing infrastructure.
It should include encryption based on the latest standards for communication between the user and the cloud, between the cloud and the administrator, and between the individual cloud servers.
The documents stored and edited on the servers should be encrypted. This includes encrypted storage of passwords and permission concepts.
The cloud application’s security level should be proven with a certification.
Access to the data should be limited to authorised users. This should also cover an expiry date for access to certain types of data and two-factor authentication using different communication channels. For example, a user should only be able to access a document link after entering a password or code texted to their mobile phone.
Users should be able to control access to files, such as by stipulating that a document is read-only. Changes to content should always be logged.
Documents must be encrypted on users’ devices and protected from being forwarded to others.