Is Your Mobile Data Secure?
Orson Welles captured the transformation of society in his classic film “The Magnificent Ambersons.” In the story, about the modernizing of an American city, the new invention of the automobile was about to replace the old mode of transportation in the horse-drawn carriage. When the old guard refused to adapt to new technology, they were surpassed in wealth and left behind.
Today, we are about to cross a similar divide as the all-digital world—mobile, social, cloud computing, data analytics—pushes out analog and eliminates many low paying jobs in the process, due to software automation and 3D printing.
Aware of the impact that the new technologies will bring to consumers and businesses, Coalfire cofounder and CEO Rick Dakin made a few predictions heading into 2013 on the Governance Risk Compliance (GRC) of data and the increased cybersecurity threats and sophisticated phishing attacks via email.
With mobile technology being young and vulnerable, Coalfire predicts: “More than one million users will be impacted and the loss will be more than $10 million” in 2013.
With tongue-in-cheek, Mr. Dakin stated that lawyers will discover a new revenue stream by suing companies that fail to protect the data of their clients and consumers. Then with serious outlook, Coalfire predicts “the government will lead the way in enterprise migration to ‘secure’ cloud computing.”
Coalfire’s most interesting prediction: “Critical Infrastructure Protection (CIP) will replace the Payment Card Industry (PCI) standard as the white-hot tip of the compliance security sword. Banks, payment processors and other financial institutions are becoming much more mature in their ability to protect critical systems and sensitive data.”
It appears newer technologies will replace new technologies.
How Secure is Mobile Data?
Last September, I attended a panel discussion in which Mr. Dakin was the main speaker on data breaches and the need to protect data to meet new regulatory requirements on privacy and compliance. After his sobering presentation on how unprepared most companies are regarding data and the BYOD trend, he and I met to discuss more. Listening to him talk about the state of unpreparedness for many industries on a hotel rooftop in Manhattan, the realization that GRC was going to play a huge roll in the switch to digital became evident.
Coalfire Systems, Inc., (est. 2001) is a leading independent IT audit and compliance firm that provides IT security and GRC management solutions for their clients. It is based in Louisville, Colorado, with seven regional offices around the United States.
In a follow up interview with Rick Dakin, I inquired about his views on how mobility will change the rules of user data.
“Mobility platforms have been designed for the ‘cool kids’ to play games and share their world experiences on social networks. Their ubiquitous deployment and powerful capabilities make them ideal for the next generation of mobile business applications.
“Unfortunately, the OS for each platform is inherently vulnerable and does not have the basic architecture to deploy previous generation IT controls like firewalls, access controls, systems hardening, or even malware protection.
“It’s clear that security will not come from platform vendors. We used to have fun highlighting the security gaps in Microsoft Windows systems. Today, Google and Apple are taking the lack of embedded security to an entirely new level that is way more risky than any Microsoft product.”
“What other verticals are exposed to such risk?” I asked.
“The most risky arena is mobile medical,” Mr. Dakin said. “Homegrown mobile applications are becoming more common with no consideration on how to remain compliant with HIPAA or HITECH patient record protection standards.
“The more troubling trend is for internal and external auditors to remove mobile applications from testing scope since audit guidance is not clear. Avoiding the problem does not solve the problem. We IT assessors have to test mobile and cloud applications along with the legacy platforms.”
That is one challenge in the changing digital landscape.
BYOD Smartphone and Tablet Exposure
I asked, “The BYOD trend moving into the B2B space, what gaps are there in data and security management?”
He replied: “Aside from the inherent operating systems limitations, mobile applications deployment on personally owned devices introduce unique risks:
- Who owns the data on the smartphones and tablets?
- How does an organization know when company data is ‘backed up’ to a personal cloud?
- Can we enforce access controls on a device not owned by the company?
- When a device is stolen or lost, how does a company know what data is at risk?
- Will users give enterprises the authority to run remote wipe of personal devices?
- Since users can download any number of unsafe applications, how does an organization know if malware is already harvesting data on the personal device?
“And if data is lost, where does an organization get logs to conduct forensic analysis and implement it Incident Response Plan?”
He paused, and explained, “BYOD is the path forward. Industries like construction (which have multiple stakeholders) will have to adopt more nimble applications with just-in-time knowledge to keep projects moving forward on timelines that are getting shorter. Those leaders who deploy more content-rich mobile applications will win in the marketplace. However, mobile devices will remain risky for at least the next few generations.”
Security Challenges in the Cloud
Aware that liabilities with a data breach don’t belong to the IT department, but the executive management, I asked, “Why haven’t executives received the message on compliance risk?”
“I am always surprised when senior executives are surprised by a significant data breach. It’s almost as if we are rerunning the Enron tapes where senior executives questioned if they should have known what their staff was doing on critical operations,” Rick Dakin replied in an apt analogy. “Many new generation of CIOs are becoming more integrated into the business functions, but that migration is in the early stages. Many IT functions are just stewards for the bits of data being processed, transmitted or stored on systems that they manage.
“As a result, the IT department may not understand the criticality of the operation or the sensitivity of the data,” he said.
“Only the business leaders understand the value of those systems. In many cases, data is better protected by changing processes rather than changing the architecture. But only the business unit can determine which strategy is better.”
He gave an example of payment processing and healthcare operations, noting, “Leading organizations remove sensitive data from key processes in order to limit risk by reducing the scope of the attack surface.”
“What other compliance pitfalls should companies be aware of?” I asked.
“Coalfire conducted a survey earlier this summer to understand how prepared various organizations adopt mobile technology to include personal devices. The survey revealed that almost 50% of all organizations surveyed had not yet started discussing mobile security with their employees. They appear to be in a period of denial.”
Reflecting back on the growth of cloud computing, Mr. Dakin said, “Our forensic examination services and early participation in cloud security and mobile applications keeps us current. However, our strength comes form working with other industry leaders. When Oracle challenged us to help them validate their new cloud-based hosting services for various compliance requirements, we were eager to help. We learn by tackling the tough and sophisticated environments. We find that there is no unique wisdom. We have to work to incrementally to learn from our clients, our partners like VMware that requested we work with them to build reference architecture for virtual system compliance.”
In other words, with big data comes big risk.
More companies need to be vigilant of securing their data, protecting their intellectual property and reputation, while understanding compliance risk in the new digital era.
The Epoch Times publishes in 35 countries and in 20 languages. Subscribe to our e-newsletter.