Friday, 23 May 2014

BYOD? Bring your own disaster

BYOD.  Bring your own device should be renamed, Bring Your Own Disaster

I got an email from eBay telling me to change my password because their security was compromised (apparently it happened three months ago) and I was at risk of having my account hacked.  This made me very angry because they appeared to say, hey, shit happens!

It seems massive security Breaches are in danger of becoming passé: EBAY, Target, Evernote, Adobe the list goes on  and unfortunately continues to grow.  Businesses seem not to have realised that securing information, whether their own corporate information or their customers data is not an optional add on.  It must form the core of any e-business.

Get your head out of the sand

Does anyone remember not so long ago when sensitive or private information was locked in a safe, an office or in your desk.  The same attitude has not been applied to e-data and we, the customer are liable to pay for this absurd lack of basic common sense exhibited by oblivious corporations.

The eBay breech is a case that requires further exploration.  According to Reuters, eBay stated the hackers got in after obtaining the corporate login credentials for "a small number" of employees. There is hope that we may find out how the hackers obtained this data as Lisa Madigan, Illinois attorney general and Connecticut AG George Jepsen, announced this week that they will be looking into the circumstances surrounding the breach, as well as the steps eBay is taking to prevent future incidents.  We may not get the gritty details of how hackers obtained the eBay employee credentials but the main ways for hacker to gain this type of intelligence is

·         Social engineering or Phishing
·         Malware apps containing keyloggers on mobile devices and desktops.
·         Trojan horse Attack

All of the above hacks require an unwitting or purposeful action by a user to be successful. Now we should ask how eBay’s “small number of hacked employees”, no matter how junior or senior came to be responsible for the data security of millions of customers.  The answer has to be because controls were not in place to properly manage the risks.

This brings me to BYOD (Bring your own device to work) A recent Gartner survey of 995 U.S. employees in large businesses who used a personal mobile device for work found that, on average, they used their smartphones and tablets for one hour per day for work purposes, the report also goes on to say that Smartphone users who bring their own devices to work are not concerned about security, and just a third (27%) of those who had security problems admitted this to their employer.
The report found that many workers ignore the most basic step of all, putting a lock on the device. This means if a work phone is lost, sensitive data can be gone too. A recent survey by a phone insurer, of 1,000 adults, found that 43% of “bring your own device” users had no protection at all on their devices. Less than a third – 31% use PINs or passcodes on their devices.  Even if the user puts a lock on the iPhone it is still not good enough. Within the last week there has been several news items that show a locked iPhone (the preferred replacement for a BlackBerry corporate device) can be unlocked free of charge through an easily accessed website offering.  (I will not link to the site but you can find it easily enough if you search)

Meike Escherich, principal research analyst at Gartner, said, “The threat of cyber-attacks on mobile devices is increasing and can result in data loss, security breaches and compliance/regulatory violations.”
I suspect that either eBay were extremely negligent in securing customers data or they allowed unsecured devices access to customer’s data. It is becoming crystal clear that non IT qualified employees no matter how senior are not competent to properly assess the risk of data breeches.  It is also clear that all devices capable of accessing a corporate network should be barred from doing so or else have strict controls placed on their ability to access data.  

ESET Senior Security Researcher Stephen Cobb states clearly that The phenomenon of organizations allowing or encouraging their employees to use their own computing devices for work widespread in many countries, bringing with it some serious risks to company networks and data.”

Regardless of how the eBay hack happened, whether it was a BYOD breech or negligent IT policies we need to ask ourselves serious questions about how we as customers continue to allow corporate leaders to act irresponsibly with the information we freely give in the expectation of security.

The current trend of insecurely storing data on corporate systems needs a hard and objective review.  My message to CEO’s is simply get your head out of the sand and GET A GRIP!  Put in place controls and end to end security for all data.  If you don’t know how to do this hire someone who does and LISTEN to them. E-business offers great opportunity but also great danger to you and your customers.  

The good news is that it’s not hard to do. So just do it!