Tag Archives: BYOD

Email Insecurity

At Symbol

This time of year, there is an upsurge in phishing and other malicious emails for us to contend with. From phony delivery notices to hoax PayPal problem emails, our inboxes are awash with attempts to invade, defraud and otherwise cause us chaos or loss. So the news that people are not taking the threat from email seriously after all the years of phish and spam, is worrying to say the least. Advent IM Security Consultant, Dale Penn, takes a look at the facts.

For far too many people, email security isn’t an issue until it suddenly is. Often, people won’t take threats against email seriously, believing that data breaches only happen to large companies as these are the only breaches that are reported in the news.

Alternatively, companies tend assume that email security is just something that’s already being taken care of as they have purchased the most up to date  technical defences such as anti-virus firewalls, Data loss prevention software etc etc, and it’s true that these can help in a layered approach however one large piece missing from the puzzle is education and awareness.

SC magazine reports that 70% of Brits don’t think that email is a potential cyber threat. And almost half admit opening non work related or personal emails at work.

Corporate Email Vulnerabilities

Bring Your Own Device (BYOD)

This refers to the practice of employees to bringing personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to using those devices to access privileged company information and applications.  This corporate ‘bring your own device’ trend is on the rise, according to a new study.

Ovum’s 2013 Multi-Market BYOD Employee Survey found that nearly 70% of employees who own a smartphone or tablet choose to use it to access corporate data.

The study surveyed 4,371 consumers from 19 different countries who were employed full-time in an organisation with over 50 employees.

Computer bugs red greyThe study has discovered that 68.8% of smartphone-owning employees bring their own smartphone to work, and 15.4% of these do so without the IT department’s knowledge. Furthermore, 20.9% do so in-spite of a BYOD policy.

These statistics are quite alarming as uncontrolled devices accessing corporate information represent a significant vulnerability.

Uploading to Personal Email account or Cloud Account

It doesn’t matter how strong your security standards are, or how much money you’ve dumped into the fanciest, most secure cloud storage systems, often employees won’t use them preferring to bypass red tape and send the information to uncontrolled home accounts therefore bypassing any company security.

Risk - Profit and LossWe’d all like to think that those that hold upper management positions in our businesses have higher standards, especially when it comes to security, but the statistics don’t lie. In a Stroz Friedberg survey, almost three-quarters of office workers admitted to uploading their business files to personal accounts and senior managers were even worse, with 87% of them failing to use their company’s servers to store sensitive company documents.

Conclusion

The fact of the matter is that the general security culture of the UK is not as it should be. The public in general (and many organisations) are unaware of, or not interested in applying, the most basic security principles to protect their personal information

Recognising this culture is the first step in treating it. Individuals still treat cyber-attacks with a degree of separation and the view that “it will never happen to them”.  Few people realise that a cyber-attack could potentially be as invasive and disruptive as a physical home invasion. Few people leave their house without taking appropriate security steps. We need to introduce awareness to the masses and embed the culture that has them locking there cyber door as well as the ones at home.

Top email Security tips

  1. Share your e-mail address with only trusted sources.
  2. Be careful when opening attachments and downloading files from friends and family or accepting unknown e-mails.
  3. Be smart when using Instant Messaging (IM) programs. Never accept stranger into your IM groups and never transmit personal information
  4. Watch out for phishing scams. Never click on active links unless you know the source of the email is legitimate.
  5. Do not reply to spam e-mail.
  6. Create a complex e-mail address as they are harder for hackers to auto generate.
  7. Create smart and strong passwords using more than 6 characters, upper and lower case, numbers and special characters i.e. £Ma1l5af3
Advertisements

The Insider that rarely gets questioned…

Insider Threat certainly isn’t going away, is it? Reading the continual survey results and news items I see published, it will still be an issue for a long time to come. We know that a lot of the Risk that Insiders bring can be mitigated with good policy and process combined with tech that is fit for purpose. But what of those insiders we don’t really like to  challenge? I speak of the C-Suite; our boards and senior management… surely they couldn’t possibly indulge in risky behaviour?

Risky behaviour is actually quite prevalent in our board rooms, security-wise I mean. (Check out https://uk.pinterest.com/pin/38632509277427972/) Unfortunately, some of the info assets that this level of colleague has access to is quite privileged and so in actual fact, the security around their behaviour actually needs to be tighter but in reality things are not always this watertight and IT security and other security functions will make huge exceptions, based upon the role and seniority instead of looking at the value of the information asset and how it needs to be protected. (Check out https://uk.pinterest.com/pin/38632509276681553/)

Its worth noting that senior execs are frequently the targets of spear phishing and given the level and sensitivity of assets they have access to, this is a huge risk to be taking with organisational security. Ransomware could also be deployed through this method and as a means of coercion. Whilst considering this level of access, we also need to think about the purpose of attack. If this was part of an industrial espionage type of operation, the plan might not be to steal data, it could be to destroy or invalidate it, in situ, in order to affect stock prices, for instance.  It is also worth noting that ex-execs or managers can still be a target and that means they still constitute a potential organisational threat.

Privileged access users like system administrators (sysadmins) also pose a potential threat in the same way as senior business users as there may little or no restrictions on what they can access or edit. A rogue sysadmin or similar could cause absolute chaos in an organisation, but the organisation might not even realise it, if they have also got the ability to cover their tracks. According to the Vormetric 2015 Insider Threat Report, the biggest risk group was privileged users and Executive Management categories were responsible for 83% of the overall risk from Insiders. Yet according to the same piece of research, only 50% have Privileged User Access Management in place and just over half had Data Access monitoring in place.

One more layer to add on top of this would be BYOD. Many businesses have considered whether BYOD is a good choice for them and many have decided to adopt it. Whilst data suggests it may contribute to data breach in adopting organisations, it can be a problem even for those who do not adopt it, as yet again senior execs are allowed latitude regarding the devices they use and may not be subject to the same scrutiny or oversight that general employees are. We know that almost a third of employees have lost up to 3 work mobile devices, we do not know how many have lost their own device also or whether it contained sensitive or valuable business data. We do know that some of these will be senior executives though and this, combined with other risky behaviours (check this out https://uk.pinterest.com/pin/38632509277975844/) will be a major contributor to the risk profile that they represent.

Technical Security Skill Shortfall Means Heightened Risk Levels For Business

First published in Outsource Magazine September 12 2013

A report commissioned by IBM concluded that Technical Information Security Skills are in short supply and that this is creating vulnerability and risk in business. The research, carried out by Forrester Research Inc., revealed that even mature organisations are facing increased risk exposure due to difficulty sourcing and retaining Information Security talent.

Overall, 80% of Chief Information Security Officers are finding it difficult or very difficult to recruit technical security staff that met all their needs, according to the research. A range of issues are feeding this difficulty and the resulting concerns about rising risk levels include some very disturbing elements, as unfilled roles create anxiety. Only 8% of respondents said that they didn’t have a problem with security staffing issues.

The remaining 92% identified some key areas for concern that any business should be considering, regardless of whether or not they think they have security talent issue. Whilst the solution for many businesses has been to recruit further down the experience ladder, you can see from the kind of pinch points identified here, that this is not a sustainable solution. Whilst it may ‘fill a security role’ it is not filling the right one.

  • external threats not understood or discovered (27%)
  • deadlines not met/projects taking longer to complete (27%)
  • a growing gap between threat and controls (24%)
  • technical control systems not fully effective (this is anti-malware and such like) (22%)
  • technical risks not identified (20%)
  • technical control systems not implemented (20%)
  • technical risks are unresolved (20%)
  • security road map is unclear (20%)
  • internal technical security audits are not undertaken (20%)
  • Process-based controls (e.g., segregation of duties, privilege review) are poorly defined, dated, or inefficient (18%)
  • concern that Security architecture is complied with (17%)
  • It has prevented adoption of new technology (e.g., cloud, BYOD) NB. Given some of the concerns we have seen in the list so far, this is probably a blessing. (16%)
  • External technical security audits are not undertaken (e.g., at service suppliers, supply chain)  (15%)
  • It has prevented business agility and/or growth (13%)
  • Security architecture is poorly defined (13%)

istock_000012299872medium.jpgThese result show us that not only that there is an increased risk to business from the skill shortage but that the kind of risk business is facing is not simply about architecture and cyber threat but also about the prevention of growth and agility. These are positive contributions that security can make and their inclusion as potential risks show a willingness to move security out of the cost column and into the investment column, but again this is being thwarted by the skill shortage. This may reveal itself in a lack of confidence in moving certain functions or activities to The Cloud or perhaps not instituting Bring Your Own Device (BYOD). Whilst it is better not to do these things if you do not know if they are within your organisation’s Risk Appetite, if you do not know what that Appetite is and there is no one sufficiently knowledgeable and skilled to be able to ascertain this and then mitigate the risk if appropriate, then an organisation may be disadvantaged. This might mean it becomes a less appealing choice for potential new and highly skilled employees for other parts of the organisation, who perhaps demand BYOD as standard along with the flexibility it brings.

Commercially, robust security and resilience is becoming a must have and increasingly organisations are being asked to demonstrate and prove themselves in these areas. Businesses that have worked with Her Majesty’s Government and the Public Sector will be familiar with their extensive security requirements for instance, but others are now finding that if they want to grow their business, the onus is on them to be able to prove their security credentials. This pressure is coming from larger organisations not just public bodies, as they realise how important it is for their supply chain to be resilient. Again this is a real stumbling block if you simply do not have the in-house skills to handle a project like ISO27001 certification or compliance. So the risks that are immediately apparent in terms of what might happen to a business without the appropriate level of security skill are actually more convoluted than they first appear.

A perception of security as a business enabler is one that many security professionals have tried to promote for a long time and the idea of growing a business within its Risk Appetite is common sense. For too long the perception of Security has been that Security will just say no to innovation, change and anything even vaguely risky-sounding. It is disappointing to think that just as the paradigm looks ripe to shift (in the right direction) that it is being stymied by a lack of high level skills. All of these challenges presuppose the organisation has the budget to be able to employ the skilled person they need.

Physical Security like manned guarding has been on the outsource list for many years, Information Security has not always been viewed the same way.  Depending on the level of challenge, size of organisation and actual (not perceived) threat and risk, there may be a viable alternative to a full time senior technical security person, through outsourcing. Perhaps if the challenge is to get through a particular project then the high level skillset may only be required at certain times, not constantly. If there is a tipping point at which the need for the skills is justified commercially this may come a lot sooner if there is an opportunity of filling the gap without actually having to finance an FTE with all of the cost that entails. Given the difficulty in sourcing the high level skills, the best talent is following the money, leaving many organisations in an uncertain security vacuum.  Outsourcing may be the solution on either a project or buy as you need type basis. It may provide a much more cost effective solution to a convoluted set of challenges that are not showing any sign of going away or simplifying. It may also mean a level of skill and experience far in excess of that which may have been within budget for an FTE.

Of course, making sure you are certain of your partner in any outsourcing endeavour is vital and due diligence on potential suppliers is vital. As a rough guide here are some questions you should be asking.

  • Does my partner understand my organisation and its business drivers and growth imperatives?
  • Can they provide qualifications, certifications, track record, references, case studies and a cultural fit?
  • Are they flexible enough for my needs? Are they able to flex up and down as required or am I going to be rigidly contracted to a number of days per month?
  • Do we have specialist or generalist needs?
  • Do we want access to an expert individual or a team of experts?
  • Do we want Strategy, Policy, Risk skills?
  • Do we want our partner to be capable of working successfully with C-level stakeholders or at the ‘coalface’ or both?

9 out of 10 TMTs think they are not vulnerable to cyber attack…think on..

According to the latest Deloitte Global Technology, Media and Telecomms (TMT) survey, 88% of respondents felt their organisation was not vulnerable to cyber attack, despite almost 60% of them having already experienced at least one security breach. (you can download the full report here)

Employees – Insider Threat

Companies also said that employee mistakes were the top threat when it comes to Information Security. Whilst it isn’t a surprise that this is the top threat, the reluctance to face the insider threat (let’s face it, it doesn’t have to be malice aforethought) has seemed hard to shake. It is something we have discussed on this blog before. It’
s disappointing that having acknowledged that employees are a real issue, only 48% of businesses offer Security Awareness training. This is creating vulnerability needlessly. Security Awareness should be an integrated part of business. Having said that the tendency to push Security onto IT is part of the problem. IT can look after IT security but information has to be safeguarded in all its forms and that means anyone who uses it has to be responsible for its security. That means all employees have a part to play. This also explains why employees are the top threat to security.

Advent IM Security Experts

Can’t happen to us….

BYOD

There is a growing awareness of the potential threat from increased use of mobile devices.

The Human Effect on Data Protection 2

The co-existence of personal and business data and applications make mobile devices highly prized for theft and also marvelous new entry points for a cyber attack. Figures from a previous survey from Ponemon Institute showed that the majority of respondents carried sensitive data on mobile devices ‘frequently or very frequently’ , yet the same survey showed that over a third of data breach had come from lost or stolen devices and that almost 60% of employees spent no time whatsoever on data protection activities.

The Human Effect on Data Protection 3

Given these figures, a firm grip on your organisation’s Risk Appetite and Tolerance is a must  before an informed decision can be made on BYOD…

Deloitte TMT visual 3

Infographic: Mobile workstyles on the rise

Its growing and it’s popular. Worryingly though Ponemon’s recent Infosec survey said that 56% of employees carry sensitive data on mobile devices and 35% had lost mobile devices. Not surprising then that 56% also said they spent no time at all on Data Protection.
BYOD needs to be in step with security and employees need to be highly security aware to avoid this loss or make it seem like an inevitable outcome.
The decision to embrace BYOD should be in line with the organisations Risk Appetite and Tolerance.

SourceYour | So You Know Better

View original post

Bring Your Own Device to work, let’s think about that one…

Should it work for you but more importantly can it work for you?

Dave Wharton, Senior Security Consultant, Advent IM

With the proliferation of Smartphones and Tablets there is a growing trend that allows or turns a blind eye to the use of personal devices for work purposes but is it safe and can a company really justify it in the event something goes wrong?  

In an era where flexibility and mobility is the key, there seems to be a growing acceptance by companies (or is it a sense of inevitability) that staff should be allowed to use their own devices to do their work on – BYOD.  Whether this is using a PC at home or using their Smartphones, Tablets and Laptops on the move, there is no question staff are doing it either with or without the blessing of their company.  A recent BBC article on BYOD quoted a survey by Avanade (a business technology company) in which it was found that 88% of executives said employees used their own devices for business purposes (http://www.bbc.co.uk/news/business-17017570).  Another survey found that while 48% of employers would never allow BYOD, 57% agreed that some staff used personal devices without consent.  

So what, might you ask? 

 My PC at work is slow and takes an age to open an email and if I try to do two things at once it just freezes or my boss needs this by tomorrow and I’ll be damned if I’m staying behind again tonight. 

When faced with such challenges is it any wonder that staff want to take advantage of their state of the art device that provides functionality and performance a company ICT manager can only dream of.  The appeal to companies is there also, productivity improves and staff are content but at what price?  Companies that allow BYOD should be under no illusion that it does not come without risk.  By allowing staff to use their own devices, companies are in effect relinquishing control of how their information (sensitive or otherwise) is imported and exported from their business networks and are also allowing the connection of untrusted devices.  Thereby, increasing the risk of malware attacks, data compromise and perhaps more worryingly exposing the business to reputational harm or costly fines in the event of a data protection breach.  Is there any managing director or senior partner who would welcome the scrutiny of the Information Commissioners Officer?

So what is the answer?  The straight forward answer is not to allow it and I am not going to advocate the use of BYOD here.  There are number of reasons why you shouldn’t and perhaps only one reason why you should.  While employee satisfaction is clearly important the main advantage to employers comes down to cost.  By allowing BYOD there are potential savings in ICT infrastructure, as in effect you are passing (somewhat unfairly) the burden of upgrades to your staff.  You could even offer staff an annual bonus for using their own devices and to share the cost of upgrading and still save money.  A very convincing argument in favour of BYOD was also presented on ZDNet (http://www.zdnet.com/blog/virtualization/byod-the-inevitable-reality/3953) although I would disagree (obviously) with the views on security and argue that this is where governance comes in (see below).    

However, as I said earlier if you do so you relinquish control which in my view will always be too high a price.  Now some will argue that as soon as you provide staff with a Smartphone or Laptop you lose control of these devices the second they walk off the premises so why worry about using BYOD.  However, I would contend that this is where governance comes in.  Issuing staff with company owned devices means you determine (among others): 

  • What devices are permitted;
  • The operating system and how it is kept secure with the latest security updates and patches;
  • The strength and quality of passwords used;
  • What anti-malware software is used and perhaps more importantly how it is updated:
  • How data is stored and protected on the device;
  • How and where the device connects to the internet;
  • What removable media (eg. USB memory sticks, CDs, etc) is permitted.

And with governance and compliance checking you can ensure that the above points are always maintained and that the device is used in accordance with your companies acceptable use policies.  Can you honestly say your staff will be as vigilant in protecting their own devices, have a look at this regarding passwords on mobile phones (http://www.scmagazineuk.com/consumers-failing-to-take-mobile-security-seriously-says-sophos/article/209294/).  You may also want to consider that your staff will also probably let their friends and family use their devices but will be less inclined to do so with a company owned device.    

To support my view I have a challenge for you.  Take a look at the advice for an effective cyber defence provided by the UK Government’s Centre for the Protection of Critical National Infrastructure (http://www.cpni.gov.uk/advice/infosec/Critical-controls) and see how allowing BYOD compares against the advice provided.  You might also want to see how your organisation’s ICT infrastructure meets the listed controls while you’re on, particularly if you are holding large volumes of customer personal data.     

So should/can BYOD work for you?  My answer is no on both counts.  My advice is organisations that want to protect their own information and that of their clients should even consider implementing an information security management system.  Such as that provided by the International Standards Organisation 27001 standard, which provides a structured series of controls a part of which will assist organisations in implementing a business-supporting and secure ICT programme.    

However and despite my claim I wouldn’t advocate the use of BYOD, if you find yourself in a position where you have no choice.  There are some steps you can take to reduce the risk (if only slightly) of BYOD: 

  1. Identify what types of devices will be permitted and which won’t;
  2. Authorise permitted devices and block all others;
  3. Segregate particularly sensitive company/client data on the network and consider what access will be permitted from remote devices;
  4. Insist on specific encryption standards for data storage and using WiFi;
  5. Insist that anti-malware is installed, kept up to date and the device is regularly scanned;
  6. Insist that a remote emergency wiping capability is added to the device for if the device is lost/stolen;
  7. Keep up to date with the latest threats and vulnerabilities and have a policy in place for responding accordingly;
  8. Develop, educate and enforce BYOD policies that cover Steps 1 to 7 and:
    •  Immediate actions if the device is lost or stolen
    • The impact on a staff member’s expectation to privacy when connecting their device to the company network;
    • How the device can connect to company networks;
    • Acceptable use for email and the internet;
    • The wiping of data when a staff member upgrades/replaces their device;
    • The wiping of data when a staff member leaves the company.

Consider compliance checking on devices to ensure the above is occurring;

Consider what support options the company might offer for the devices.

Dave Wharton, Senior Security Consultant, Advent IM