Many of you in the traditional roles of corporate, investigations and physical security may not think your organization has an active role in your organization’s telephony security polices and programs. Well, at least not on the risk management side of the equation. Post-hack or theft, the investigation and clean-up, of course, falls to your organization. But the recent rise in smart, or the newly coined, “superphone” hacks, breaches and resultant losses do require your attention and participation at the front end of risk management. In many cases, the flaw is not the technology being used, but the people using and misusing the technology. According to a Verizon Data Breach Investigations Report, which cites misused permissions as a core issue, 96 percent of these cyber-breaches are avoidable by implementing simple or intermediate controls.
This is not only an IT or technology security issue, per se. Rather, key risk issues are right in the sweet spot of corporate security, including culture, training and policies by employees to ensure that risk is reduced. The rise of corporate networks, electronic supply chains, remote workforces, global expansion and travel have all added to the complexity of risk management and securing the business, and mobile devices only add to the layer of brand risk. And then there’s the arrival of superphones to further raise the security bar.
What are superphones? As a basis for discussion, there are the traditional cell or mobile phones, the original un-tethered phone for the purpose of making a call while mobile. Security was not an issue for the first mobile phones, unless you lost one or had the electronic serial number stolen and applied to another phone. The only “exposure” was a huge phone bill and a lengthy argument with your service provider. Losses were limited.
The superphone category also includes the Apple iPad and post-iPad tablets, and according to talk at the recent CES Show, Apple should have a profitable year, with a projected 20 million iPads in 2011 expected to be sold. The year 2011 has been dubbed, “year of the tablet,” and rightly so.
So what to do? A “Sysadmin” blog written by Trevor Pott and distributed in a recent OSAC briefing outlines the general issues and potential problems, and provides a good starting point for definitions within your organization, so that everyone from IT to sales is singing the same tune.
The blog, titled “Superphones: A Nightmare Waiting to Happen,” correctly points out that with new connectivity and functionality, the risk to new attacks for superphones has increased. Specifically, Pott defines superphones as those that include access to an integrated app store and multimedia playback capabilities.
And his key point for you: “Superphones, on the other hand, are deadly. They are not only fully-featured computers in their own right, they are easy – and desirable – enough to use that everyday users are getting in on it. They are everywhere and worst of all, their popularity is seeing their vulnerabilities discovered, exploited and malware specifically designed to target them.”
It may be no coincidence that on the day after the blog was posted, McAfee, the anti-virus company best known for computer virus software, announced research that “smartphones are the cyber criminal’s new frontier.” According to the research, malicious attacks on smartphones increased 46 percent in 2010 (and you are thinking…only 46 percent?)
At the top of the attacked list are the market share leaders, including Google’s Android and Apple’s iPhone. And it is also no coincidence that McAfee acquired smartphone security company Trust Digital to enter this new growth market.
What are examples of the most common malicious attacks? One takes control of the Google Android application and quietly sends premium rate text messages to a number the hackers established. Their profits are instant and huge. Similar to the cell phone risk, the expense is yours. Of larger risk is spying to gain access to passwords to corporate networks as well as personal banking accounts. And the ability to download free apps to a corporate device that have not been vetted for malware is a significant risk. The February announcement of hacks on Western U.S. Energy companies by Chinese organizations included “tricking employees to reveal passwords.” There is nothing techno-savvy about that. That is all about people, policies and procedures.
Many of the publicized security breaches are the result of exploiting poor security technology and design. But many are also the result of not making users understand how to securely use their new superphone to protect the business and their own information. While the IT issues of superphones are not the traditional role of security, having a conversation with your IT folks leading the superphone charge may be worthwhile. Your expertise and voice in policies and tracking privilege usage beforean investigation has to be launched is central to the goal of protecting the business and building your brands.