Why Mobile Data Needs to Secure Our Attention

With Barack Obama’s well-publicised battle to keep his beloved BlackBerry when becoming the 44th President of the US, the public had an insight into just how much data might be made available on a device the size of a deck of cards. It may have been the healthy debate about the President’s BlackBerry that triggered the release of a strategy paper on cyber security by the US National Security Council last month but it’s just as likely to have been influenced by the fact that online fraud is estimated to run as high as US$1,000bn annually.

Smartphones have become our most beloved companion and are being used for everything from watching videos to commenting on an upcoming merger and acquisition (M&A) deal or making a wire transfer. Every time a smartphone is used to work, play or socialise, sensitive data is at risk of exposure. While taking data out of a device being diligently used by its rightful owner may prove a little tricky, criminals can read data on a lost or stolen smartphone like a book.

So what makes a smartphone different from PCs and laptops from a data security point of view?

Sensitive Data Combined with Portability and Easy Access

It won’t be long before everyone can, theoretically, access all of mankind’s digitally stored information via a smartphone.

On the way to total mobile data access, enterprises already achieve productivity gains by allowing staff to spend more time with clients or in the field while communicating remotely from a device that fits into the palm of their hands. This trend will be amplified by the advent of cloud computing, which has already become the mantra of Google and other big software developers. Smartphones have become the digital umbilical cord for corporate employees, providing a potent mix of constant connectivity, carefree use and access to sensitive information. It is this trinity that attracts attention from fraudsters, who – often without the victim noticing it – are able to extract vital corporate or private information from a smartphone within minutes.

Criminals don’t only target information available on a company’s server. It is often data that is readily available in the form of emails and attachments, text messages, calendar entries or contact details which attract the fraudster’s attention or can accidentally be made available to the wrong audience.

The ‘Dumbing Down’ Trend

Neo, the character in the popular 1999 film The Matrix, needed a high level of sophistication to break into a seemingly secure computer system. The villains of today’s cyber war often use much simpler methods.

The malware ‘Mariposa’, for example, which originated in Spain and instilled fear among computer owners across the globe, was famously masterminded by a group of youngsters who were barely computer literate. All they needed was readily available on the internet and cost them less than a thousand dollars to purchase.

Serious hacking aside, one of the biggest threats today is a phenomenon called ‘social engineering’: the art of getting people to drop their guard. In most cases, the intruder strikes a relationship – often remotely via email – with the victim to get passwords and other information required to access sensitive data. But social engineering can also come in a more personal form. The new acquaintance at the pub who talks you into showing the pictures on your smartphone may simultaneously be forwarding your emails or search an open phone for stored security information.

According to a recent study by Deloitte, financial services companies are now significantly less confident that they can keep sensitive data secure from people within an organisation compared to access by third parties.

Some third parties even state in their terms and conditions that they will get access to your data. Google Translate is such a service. It is easy to use – and at times vital to taking quick decisions when working on an international project. But by agreeing to the terms and conditions of this service you are granting Google a “perpetual, irrevocable, worldwide, royalty-free, and non-exclusive license” to use the content you posted. Google has no bad intentions when asking for a free license to the content – but is this the way to treat sensitive information?

Passwords and Remote Data Wipes

Passwords have become a modern day plague. The number of times we have to identify ourselves electronically to do the most basic of things borders on the insane. Hand on heart, consider the following:

  • How many different passwords do you use between online shopping accounts, accessing the member’s area of your sports team’s website and accessing your company’s internal systems?
  • Where do you store these passwords?
  • How often do you change them?
  • Do you really know what happens to a password when it is entered on the web for a seemingly harmless activity?
  • How different are the passwords used for these activities from the ones you use to identify yourself when accessing sensitive corporate information?

Most self-chosen passwords are easy to crack by someone with appropriate experience.

To make matters worse, often no password is used at all on a smartphone, in order to avoid having to spend the extra two seconds before taking another look at the latest share price (which, incidentally, is typically delayed by 15 minutes, anyway). Then there is the time between putting a smartphone away to the moment when the auto-lock kicks in. For someone with malicious intent, the two minutes we allow ourselves before being nudged to re-enter a password may be all it takes to do some serious damage.

In mitigation, some smartphones allow for a remote data wipe by an administrator. This will set the device’s settings back to standard and removes all data and applications stored on it. (BlackBerry’s Business Enterprise Server (BES) is designed for doing this very effectively.) But few consider how to inform the administrator to wipe all data, when the device containing their contact details is lost. And by the time the data is wiped, it may have long been (ab)used by someone else.

The Cry for Stricter Policies on Data Security

Many companies are weighing budgetary and practical constraints against the risk of doing too little. We have all witnessed the disastrous consequences from poor preparation and handling of the ‘low probability/high impact’ oil leak in the Gulf of Mexico. The UK government’s loss of child benefit records for millions of UK families in 2007 provides another example of an embarrassing breach of (data) security policy.

With this in mind, it is not surprising that the topic of data security is becoming increasingly subject to internal and external audits, while regulators and legislators are putting it high on the reform agenda. Financial institutions, in particular, are starting to recognise the competitive and reputational value of data protection and are working towards achieving – or exceeding – standards set by associations such as the International Organization for Standardization (ISO) or the Information Systems Audit and Control Association (ISACA) by imposing ever-stricter policies to prevent and report data loss and to improve standards of identity and access management.

Two Factor Authentication: A Very Strong Deterrent

So how can this be achieved effectively without turning mobile access to relevant business information into an obstacle course in its own right?

The answer to effective data protection depends on how much effort an organisation is prepared to put into designing, implementing and maintaining relevant policies. Regular training of staff on common threats and how to prevent them, increased vigilance and rigid password directives provide a strong foundation for data protection.

But the best policies are rendered ineffective when executed poorly by some and where obvious gaps remain. The only way to make data security a priority for all users is enforcing strict, yet simple, procedures when carrying and accessing data remotely.

Protective measures that can be considered include wired car kits that protect calls made from a vehicle, and asset protection devices which ring an alarm when the phone is out of reach. Using a smart card to identify a user has become a standard solution for many organisations. As a BlackBerry fan, I personally rate the Bluetooth-enabled smart card reader the firm produces – it only allows a device (BlackBerry smartphone or Bluetooth-enabled laptop) to function when it is within Bluetooth reach of the paired smart card reader containing the password activated, encrypted smart card. The armed forces, police units and other public sector enterprises use such devices to help protect sensitive data.

Which brings me nicely back to President Obama, who can rest assured that if he parted company with his BlackBerry, it would be impossible to access data on it once outside of the paired smart card reader’s reach.


Related reading