Security has been about evolution. First came the PC – big and clunky, it taught us about the importance of keeping the good guys in and the bad guys out. Then came the era of laptops and, well, losing them, which showed – at the expense of some very red faces – the importance of ensuring secure remote access.
And now comes the new generation; the smartphone. Surely by now we’ve learnt our lessons from the past and are well prepared for the next iteration of security challenges that the move to mobility will bring with it?
Well, not quite. In many ways, it feels like Groundhog Day, with the same mistakes being played out. The 2011 Get Safe Online campaign kicked off with a warning aimed at educating consumers about the security scams out there targeting their smartphone.
But with more and more smartphones being deployed in the corporate environment, arguably it is businesses that have the most to lose.
Smartphones have become the bedrock of any remote access strategy. Easy to use and intuitive they enable staff to access email, download and work on attachments as well as access corporate web and cloud-based applications such as Salesforce whilst on the move.
But it is this very ease of use that lulls people into a false sense of security. Would you like it to remember your password for next time? Yes please. Would you like to enable automatic log on? Yes please.
All these quirks designed to make our lives easier only hasten the speed with which a hacker – or even someone that has found your lost device – can get into sensitive files or the corporate network and do damage.
For example, most mobile devices from tablet PCs to smartphones are set up to automatically search for and log onto the nearest Wi-Fi hotspot. And who says no to free Wi-Fi? But with some cheap equipment from a high street electrical store a hacker can set up a ‘fake’ Wi-Fi spot and snaffle all the passwords they need to break into the corporate network using someone else’s identity in a matter of seconds.
And as the lines between personal and professional use of smartphones start to blur, it is becoming even harder to mitigate the risks.
Most IT departments and security chiefs know that if their company rolls out iPhones, staff will download applications from the App Store. Until last week they were probably quite relaxed about this as Apple has a ‘quality control’ process in place before apps can be sold and downloaded.
But the discovery of a rogue app has shown that Apple’s processes are not foolproof. What looked like a harmless app was actually designed to unleash chaos. And what of Android? Predicted by Ovum to gobble up a 25% share of the enterprise market in next five years, its Market Place has no rules or any way of governing what applications are uploaded onto it and made available to an unsuspecting public.
These are just two examples of how the commercially valuable information sitting on smartphones is vulnerable to attack from different angles.
Like it or not, if your organisation has smartphones you’ve also got some serious security blind spots.
It’s hard to think that one small device could have big security consequences, but it does. In many ways it is like embarking on security education all over again. The trend towards bring your own device (BYOD) is further muddying the water, but businesses should make no mistake – it is their responsibility to secure their data.
Right now, companies can’t validate whether people accessing the network are who they say they are. Instead they rely on static passwords to authenticate the person rather than one time use passwords which are unique and can’t be stolen.
Traditional approaches to passwords are the weakest link in any security policy; companies should not continue to make the same mistake in the mobile world.
Jason Hart, managing director at CRYPTOCard.
