KuppingerCole: Mobile working is insecure – How you can change it
March 2015 by KuppingerCole
Last Friday the article “Spooks tell business: Consider stripping staff of smart phones to avoid cyber-attacks” was published at The Telegraph. It talks about staff being the ‘weakest link’ and raises the prospect of staff being blackmailed by spies. The warnings were contain in the UK government’s cyber initiatives the Ten Steps to Cyber Security (Ten Steps) and their more recent Cyber Essentials.
According to Amar Singh, Senior Analyst at KuppingerCole, ditching the phone won’t stop cyber-attacks because most people are not going to do it. In fact many people now carry multiple smart devices including a tablet, a phone, and more recently smart wearables like watches, so the number of mobile devices per person is rising. Furthermore any serious organization should have already adopted a mobile first strategy. Cyber attackers will always find some way to attack a business; for example they could consider trying to revert back to the old ways of targeting laptops and desktop computers.
Singh confirms that mobile working is insecure. But any devices, including a new TV or an old laptop are insecure as long as they are switched on. Mobile working has several benefits that both employees and organizations recognize. According to Amar Singh we have to accept the facts and need a plan to prevent, detect and respond to these risks.
The UK government’s Top Ten document contains some good advice that the Senior Analyst would encourage all to read and understand. In the meantime he strongly recommends every business owner to:
• Stop blaming the employee for all cyber security problems
• Support the employee with the necessary technology to ensure that ‘mistakes’ cannot happen easily.
• To make use of existing technology available today that can help prevent and detect cyber-attacks.
• Be pragmatic, understand the risks, and educate the users. KuppingerCole advises to:
• Take a risk based approach and spend some time understanding the threats and the attackers that would want to target your company.
• Focus effort and time on preventing insiders leaking financial or human resource data.
At the same time as The Telegraphs item, The Register published an article entitled “Banks defend integrity of passcode-less TouchID login”. The banks and the quote in question are from the Royal Bank of Scotland (RBS) and NatWest. It describes how doing bank transfers with passcode-less TouchID login can be secure if the customer doesn’t use a jail-broken IPhone.
Amar Singh is critical of this: “Most non-technical customers would not know if their iPhone is jail broken or not. In addition the banks are appearing to acknowledge that there is a problem by admitting jail-broken phones are susceptible. So why not configure their app to check for and block installations on jail-broken iPhones?”
The recent Mobile Threat Assessment report from FireEye discusses the increasing ease by which hackers can bypass Apple’s strict review process and invoke risky private APIs even on non-jail-broken iPhones.
Amar Singh mentions that banks, like most organizations, have to balance security versus cost. They have a risk appetite and tolerance and must make trade-offs when it comes to security versus usability. “What’s truly disappointing is that the bank had an opportunity to get both user experience and security right without necessarily sacrificing either. Sadly, it seems, security was again a second thought“ says Amar Singh.