Welcome to the blog of Andrew Tang, Security Practice Lead for MTI Technology. A Cyber Security professional in the UK, who currently holds EU GDPR Practitioner, CISSP, MCSE: Security and MCTS certifications.
Saturday, 16 July 2016
Euro 2016: A lesson in BYOD security best practice [Link - ITProPortal]
One of the stories away from the pitch at this year’s Euro 2016 event was the significant spike in cybercrime on mobile devices.
Attending football fans, trying to keep on top of work or attempting to access tournament information, became victims to cyberthreats as hackers took advantage of insecure public Wi-Fi networks and applications.
Reports suggest that the host country was targeted in a highly calculated way by hackers during the event, with 72 per cent of malicious websites and 41 per cent of exposed passwords were detected on smartphones in France alone.
The UEFA EURO 2016 Fan Guide App, one of the official UEFA mobile applications, was a prime target for hackers during Euro 2016, having been being downloaded onto more than five million devices.
Designed to provide practical tourist information for fans travelling to France for the tournament, the app leaked user data including usernames, addresses, phone numbers, and passwords due to an insecure connection.
The BYOD threat is real
The scale of the attack during the event highlights just how strong the threat is for businesses, especially for companies operating BYOD policies, as employees are free to access malicious websites, fake apps and connect to unsecured Wi-Fi on the same device they store corporate data.
An additional report also suggests business travellers are more likely to be mugged of valuable private and corporate data than of their travel money. The report found that 59 per cent of staff in senior roles claim to log on as quickly as possible upon arrival abroad, while 48 per cent of senior managers and more than 43 per cent of mid-level managers use unsecure public access Wi-Fi networks to connect their work devices when abroad.
So how can businesses protect themselves against mobile threats and prevent mobile hardware and apps from leaking corporate data, and what are best practices around BYOD security?
With company owned mobile pools now rapidly becoming out of date and workplace bring your own device (BYOD) policies steadily growing, controlling what an employee does on their device has become far more difficult and complex.
Enterprise Mobility Management (EMM) platforms have become crucial in protecting corporate data. Apps and documents can operate separately from the rest of the device, allowing employers to create a ‘wall’ around sensitive information to prevent infection from compromising data.
EMM also allows for robust security policies to be put in place on an employee’s personal phone without invading privacy or forcing too much control of a personal device to an employer.
Right apps, right channels
It is also important to consider where employees are storing data. Some cloud-based storage applications can present a risk as the data is often entrusted to a third party. This means businesses have to rely on the strength of an employee’s password for protection.
Using the appropriate channels for storing information, such as an encrypted VPN, and making these available to employees’ mobile devices is another step towards protecting business assets. This ensures all information is properly encrypted through storage managed by the company itself, rather than entrusted to a separate party.
Another consideration for most businesses is how to prevent staff downloading apps that can leak data. Companies that issue a fleet of managed devices can place restrictions on what apps can be downloaded, but with BYOD, employees are free to download what they want.
By creating a separate corporate app store on the device, IT departments can then ensure that only approved apps can be used to access corporate information, while still allowing employees the freedom to download whatever they wish to use on their device.
One of the biggest threats during the Euro 2016 tournament was the use of free Wi-Fi facilities.
Public, password-free Wi-Fi is a particular threat to both individuals and businesses due to the lack of encryption which allows hackers to access almost all information on a user’s device.
The Wi-Fi Pineapple, for example, makes man-in-the-middle attacks easy. In this type of attack, a hacker sits in between the device and the Wi-Fi to which it is connected in order to extract information from the device.
These type of attacks are especially dangerous for travelling football fans and business people alike, as users often try to avoid having to pay expensive data roaming charges while in foreign countries.
By educating employees of the dangers posed by using unsecured Wi-Fi and unauthorised applications, organisations can help to mitigate at least some of the potential threat.
Part of this process should involve advising employees of the dangers hacking poses, the reasoning behind approved corporate channels for storing information, and clearly defining the role they need to play in securing their device.
IT departments need to be working with the HR team and heads of departments to create a corporate culture around security and convey that the protection of company data is as much their responsibility as it is for IT professionals.