5 Easy Ways to Lose Important Company Information: Why mobile devices are a hacker’s best friends

If you study malware and hacking long enough, you begin to wonder if there is any system that is safe from attack. You may begin to think that if someone really wants what you have on your computer or in your company files, they will eventually get it. And if you think this way, you are probably right. A dedicated attacker will find their way into your system and get whatever it is they want. If you doubt this, take a look at the history of challenges in the Pwn2Own hacking contests and see what previously thought-to-be-safe software and devices were successfully hacked in a relatively short time.

A Trend Micro-sponsored Ponemon Institute study found that more than 78% of organizations have had at least one data breach over the past two years. On top of that, an additional 13% of companies are uncertain as to whether they have lost data or not. This statistic is similar to a 2011 Computerworld study that claimed that 90% of companies have been hacked.

Such attacks cannot be taken lightly. According to the National Cyber Security Alliance, 60% of small businesses (under 250 employees) that have been hacked went out of business within 6 months. Large companies may be better positioned to absorb the financial loss of such an attack, but the loss to their reputations may take much longer to repair. Yet, no matter what size your company may be, just imagine if your competitors suddenly gained access to your most important secret information. How much of your marketplace advantage would you lose? In other words, if you think paying for the best security is expensive, see what it will cost you if you have a security breach.

With this in mind, let’s look at 5 ways you can make it easier for those who want your information to get it.

1. Let your workers connect to your network through their mobile devices and copy work files from and to these devices at will. Don’t even worry about managing the use of these devices. Although this attitude is far from unusual, small and medium-sized businesses are more guilty of this than larger corporations. They seem to think that they aren’t big enough for hackers to care about. Unfortunately for them, this conclusion couldn’t be further from the truth. It is estimated that cyber criminals steal a billion dollars a year from small and medium-sized companies. Attitudes towards mobile device management (MDM) are changing in large companies but a surprising number of them still lack any good mobile management policies.

2. Implement a BYOD (Bring Your Own Device) system with MDM. At least this strategy realizes that personal use of a tablet or smartphone should be kept separate from work use. There’s one big problem with a BYOD system, however. The devices you want to manage aren’t really your devices. They belong to the workers. How much can you watch or control their browsing habits? What right have you to know where they are at any given moment? However, without this capability, you cannot remotely wipe a lost device to purge it of sensitive information that it may contain. Without complete control over an employee’s browsing habits, you risk having malware downloaded onto these devices which could, then, position themselves to compromise the work environment. These privacy concerns do not seem to hinder the movement towards BYOD programs, however. Gartner estimates that, by 2017, 50% of companies will require workers to supply their own devices. But what devices? Will companies permit workers to use any device they own or will they only allow a certain subset of what are considered secure devices? In this case, workers may be forced to either buy more expensive devices or try to circumvent the companies MDM. Besides, micromanaging every employee’s mobile device may prove to be practically impossible. Vulnerabilities are inevitable.

3. Implement a COPE (Corporate Owned Personally Enabled) policy with MDM. This seems to get around the privacy issue. If the company is supplying the mobile device, then they have the right to control it in any way that they like. They can also deal with only one type of device, which would make MDM much easier and the system more secure. Many companies employ some sort of containerization (sandboxing, virtualization) to secure their systems. This prevents applications from communicating with each other thus protecting the network. Encryption is often used to supply an additional layer of protection. Apple uses containerization on its devices. Unfortunately, vulnerabilities exist in any system and these are often exploited by malware. The malware finds a way to get elevated permission (getting administrator rights) which allows it to circumvent the sandbox, giving free access to anything on the network. Examples of such attacks are Evasion (Apple, February 2013) and the Exynos exploit (Android,December 2012).

4. Make sure that the work environment is separated from the personal environment at the kernel level. Basically, this is what Samsung Knox does, along with its use of TrustZone. Samsung Knox was supposed to be the gold standard for mobile device security; that is, until cybersecurity researchers at Israel’s Ben-Gurion University discovered “a serious threat to all users of phones based on [Knox] architecture.” In the end, software is software and, as such, will have vulnerabilities that can be exploited.

5. Purchase a mobile device that was either made in China or has chips that are made in China. For some time, this would have been considered nothing but paranoia. This changed when Lenovo computers, made in China, were found with hardware modifications that could give remote users access to these devices. Later, compromised chips were found in everything from kitchen appliances to cell phones, If security is a priority, this factor needs to be considered.

The InZero WorkPlay Tablet Solution
There is only one tablet that addresses all the issues mentioned above. That is InZero’s WorkPlay Tablet. To begin with, the company made the conscious decision not to have its tablets made in mainland China. They then developed a way to separate the work and personal environment at the hardware level, making it impossible for one tablet zone to cross over to the other. Users are able to switch between the zones at the press of an icon, but no information can cross the barrier because each zone has its own operating system. This solves the personal privacy issue as it allows employees to do whatever they like on the personal side of the tablet. Since there still exists the issue of lost or stolen tablets (one in six tablets have been found to be either lost or stolen) and the need to remotely wipe or lock down such tablets, InZero supports this aspect of the COPE environment. In short, if security is a priority for your company or organization, The WorkPlay Tablet may be the solution you are looking for.

About Steve Mierzejewski

Marketing consultant for InZero Systems, developer of the next generation in hardware-separated security, WorkPlay Technology. I've worked in Poland, Japan, Korea, China, and Afghanistan. I'm a writer, technical editor, and an educator. I also do some work as a test developer for Michigan State University.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s