From hospital ventilators to trucks full of toilet paper, Coronavirus has seen criminals in the real world adapt and react with their choice of target and points of attack. Cyber criminals too, will no doubt look to take advantage of the situation that workplaces – nationwide – have been catapulted into, many of them seriously under-prepared for the ‘new normal’ we now find ourselves in. And whilst “Stay at home” remains sound advice in the fight against one virus, home-working has opened companies up to the threat of a different kind altogether.
The use of technology in the workplace is by design, an ever-changing medium, and in recent years there has proven to be a clear trend for employees, even prior to current events, to conduct more and more of their work across a number of devices and locations. Amid the continuing blurred lines of the home space and workplace, it turns out that convenience is king, and the king of convenience is the mobile phone. Unfortunately, your employees are not the only ones reaping the benefits.
A false sense of security…
It’s Monday morning, 7am, as you get started on another week of work in lockdown, from the comfort of your duvet. You’re casually flicking between work and personal errands online. Picking up an email from the boss, finding out what time to expect that food delivery – you’re a master of multi-tasking. You go downstairs to make the breakfast with the little ones running around and you pop your phone on the side. No need for lock screens and passwords anymore. In the safety of your home, do the basics seem less important? Does caution go out the window?
If any of this is sounding familiar, you can rest assured, that it is being repeated across the country as we speak. So, what should we be looking out for – what are the risks when it comes to mobile security?
In the simplest terms – the transferring of data from a private network or device to an outsider without the owner’s knowledge or expressed consent. Hackers access this data by targeting mobile phones with various types of malware. This can be done in two ways:
- Malicious Apps - Usually something along the lines of a free game. It looks genuine and seems harmless, but what was simply meant to kill some time and provide a little light relief, has now resulted in a hacker gaining unfiltered access to your system and confidential data. Not only have you invited them in, you’ve also permitted them to freely access your camera, microphone, contacts, Bluetooth, the list goes on. Did that Scrabble App really need access to your location and photo library? Cyber criminals rely on the careless and uninformed decisions of users, all too happy to trust. You wouldn’t permit a stranger to roam freely around your home and rifle through your private possessions, so why allow an unknown app?
- Rogue Web Pages - The app you use more than any other – your browser. From searching, to shopping, to online banking – it also stores the logins and passwords for the million different things we’re all signed up to these days. Handy, right! Well, definitely so for hackers. All you need do is click on one, rogue, well disguised link and they’re in. Even just access to your email account comes with a whole list of contacts who wouldn’t think twice about opening an email from you. Criminals can now use your account to distribute untold amounts of malware and viruses, this was just the start. Now, imagine this cross-company.
Your own worst enemy
Not only do we have these outsider threats to contend with, but also an accidental enemy much closer to home. As we lead our busy lives, multi-tasking and failing to concentrate on the job in hand, mistakes are going to be made – sending an email to the wrong person, uploading company files to the public cloud, just the push of one wrong button by that pesky little one, running around. This is accidental disclosure and if you’ve ever sent a text to the wrong person (awks!) then you know how easily it can be done.
In layman’s terms – gaining access by pretending to be someone you’re not. Within the realm of smartphones, this would usually be done through the sending of deceptive emails (‘Phishing’) or text messages (‘Smishing’) but more and more, we’re now seeing other routes of access across various messaging platforms – Whatsapp and Facebook proving to be particularly popular amongst data thieves as they seek to trick users into downloading malicious content or revealing their login credentials.Mobiles are, in fact, particularly vulnerable for a multitude of reasons:
- The unfocused, multi-tasking manner in which we use them means we are paying less and less attention to what we are opening and clicking on
- One-tap message opening options mean we don’t always fully comprehend what it is we are viewing before we do so
- The smaller screens of smartphones display much less information compared to a computer, because of this we can’t always be sure that what we are receiving is from who we think it is
Let’s hope employees really are sticking to the rules regarding logins and passwords! One false move here and hackers have not only gained easy access to your own accounts, but potentially the companies as well.
There are two things to look out for here:
- Unsecured Wi-Fi – does what it says on the tin!
- Network Spoofing – Hackers masquerading as proximate, trustworthy networks; for example, “airport” or “pub”, in order to capture your credentials.
One tricks you into trusting it and the other simply takes advantage of the position you’ve put yourself in. Both ask you to create an account, in doing so you provide them with an email and password. Unknown to you, they’re relying on the fact that most people use the same log-ins and passwords or variants thereof, over and over again. Now they have access to a multitude of other platforms used by you where they can log into your accounts and gain even more information – a treasure trove awaits!
While this may not be such an issue right now, it is clear that many businesses who have the ability will be looking to keep their workers remote going forward. As pubs, cafes and restaurants around them start to re-open, workers may want to get out of the house. They may even feel comfortable meeting colleagues again, outside of the home. Be pro-active in raising awareness and make this part of your policy now.
Defence is the best form of attack
We’ve listed three of the most common methods used by cyber criminals, but the risks certainly do not stop here. From ‘Crypto-jacking’ (the use of your phone’s power to mine crypto-currency without your consent) to ‘Physical device breaches’ (the failure to properly secure a device, which has been left unattended or become lost, via encryption or password protection), the list goes on. And with remote working here to stay, mobile security has never been more important. So what should we be looking at to secure ourselves, our employees and our businesses against these threats?
To BYOD or not to BYOD
This is indeed, the question. Like it or not, use of personal phones for work purposes is now the prevailing workplace culture. For many companies, large and small, it may not be or seem financially viable to equip the whole workforce with company phones. However, even companies who provide work devices must make peace with the fact that – policy in place or not – employees may still use them for personal reasons. With this in mind, let’s just focus on fighting it head on. Here are our top three tips!
1. Secure your devices - The key point here is finding the balance between what’s best for the user in practice and keeping things secure for the company. Putting too many restrictions in place could result in a dip in productivity and a generally poor user experience. On the other hand, if things are left a little too lax, you may end up subjecting the company to unnecessary risk. As far as securing your devices go, having the following in place is a great start.
Virtual Private Network (VPN)
Using one enables employees to connect their phone to your company’s private server, allowing them to browse the internet using that servers secure connection. It also offers a virtual tunnel for employees to transmit data safely between themselves and the company.
Having one in place, leaves hackers unable to decode or steal the data being transferred.
Mobile Device Management (MDM)
This security software works across all kinds of devices and networks, whether you have a BYOD policy in place or not. MDM integrates with the systems you have in place and enables you to remotely manage and secure your employees’ mobile devices. Time-saving and efficient – it allows you to complete tasks on your employee’s behalf, ensuring you remain both safe and compliant. Its functions include the ability to:
- Remove, install, and manage the use of apps
- Configure basic settings and carry out regular updates and back-ups
- Prevent the sharing or saving of company data
- Locate devices, grant, and deny access to internal resources and wipe remotely
2. Put strong policies in place
- Be specific to mobile devices
- Be clear in their BYOD principles
- Be transparent in what accesses and abilities the company will have
- Lay out the responsibilities of both the user and the company in a clear manner
- Feature clear dos and don’ts
- Demonstrate a ‘no blame’ culture in the reporting of incidents
- Help employees feel secure that their own personal data is protected. Privacy is a two-way street!
And lastly, as a prime minister past once said…
3. Education, Education, Education.
- Inform your team of the threats and make doing so a priority
- Update this information and hold refreshers on a regular basis
- Incorporate security into your Day one training. Day two could already be too late
- Train them in the ‘How to” – how to prevent, how to spot, how to report
- Teach the importance of a strong defence, especially when it comes to password protection
- Conduct regular practice attacks. We all learn from our mistakes
How can we help?
From gaining employee and consumer trust, to building towards the capacity for expansion, we could bang on all day about acting fast now to reap the benefits of moving beyond the safeguarding of just desktops and laptops in the current climate. But at Bridewell we know that there isn’t a ‘one size fits all’ approach to securing your assets. Instead, our aim is to advise you to be able to make an informed decision on the necessary investment for your own firm when it comes to threats and vulnerabilities you face.
Bridewell can help you to:
- Put programmes and procedures in place to train, guide and secure
- Demonstrate legal and regulatory compliance
- Manage mobile risks, as well as, report and respond to incidents by equipping you with MDM
If you’d like to learn more about the services we offer including mobile penetration testing services, we’d love to hear from you. Get in touch to hear more about how we can help you to secure your assets and leave you better positioned to expand into new business opportunities with a solid framework and solid reputation in place.