BYOD. Bring your own device should be renamed,
Bring Your Own Disaster
I got an email from eBay telling
me to change my password because their security was compromised (apparently it happened
three months ago) and I was at risk of having my account hacked. This made me very angry because they appeared
to say, hey, shit happens!
It seems massive security
Breaches are in danger of becoming passé: EBAY,
Target, Evernote, Adobe
the list
goes on and unfortunately continues
to grow. Businesses seem not to have realised
that securing information, whether their own corporate information or their customers
data is not an optional add on. It must form
the core of any e-business.
 |
| Get your head out of the sand |
Does anyone remember not so long
ago when sensitive or private information was locked in a safe, an office or in
your desk. The same attitude has not
been applied to e-data and we, the customer are liable to pay for this absurd lack
of basic common sense exhibited by oblivious corporations.
The eBay breech is a case that requires
further exploration. According to Reuters,
eBay stated the hackers got in after obtaining the corporate login credentials
for "a small number" of employees. There is hope that we may find out
how the hackers obtained this data as Lisa Madigan, Illinois attorney general
and Connecticut AG George Jepsen, announced this week that they will be looking
into the circumstances surrounding the breach, as well as the steps eBay is
taking to prevent future incidents. We
may not get the gritty details of how hackers obtained the eBay employee
credentials but the main ways for hacker to gain this type of intelligence is
·
Malware apps containing keyloggers on mobile devices and
desktops.
All of the above hacks require an
unwitting or purposeful action by a user to be successful. Now we should ask
how eBay’s “small number of hacked employees”, no matter how junior or senior
came to be responsible for the data security of millions of customers. The answer has to be because controls were
not in place to properly manage the risks.
This brings me to BYOD (Bring
your own device to work) A recent Gartner survey of 995 U.S. employees in large
businesses who used a personal mobile device for work found that, on average,
they used their smartphones and tablets for one hour per day for work purposes,
the report also goes on to say that Smartphone users who bring their own
devices to work are not concerned about security, and just a third (27%) of
those who had security problems admitted this to their employer.
The report found that many workers ignore the most
basic step of all, putting a lock on the device. This means if a work phone is
lost, sensitive data can be gone too. A recent survey by a phone insurer, of
1,000 adults, found that 43% of “bring your own device” users had no protection
at all on their devices. Less than a third – 31% use PINs or passcodes on their
devices. Even if the user puts a lock on
the iPhone it is still not good enough. Within the last week there has been several news items that show a locked iPhone (the
preferred replacement for a BlackBerry corporate device) can be unlocked free
of charge through an easily accessed website offering. (I will not link to the site but you can find
it easily enough if you search)
Meike Escherich, principal
research analyst at Gartner, said, “The threat of cyber-attacks on mobile
devices is increasing and can result in data loss, security breaches and
compliance/regulatory violations.”
I suspect that either eBay were extremely negligent in
securing customers data or they allowed unsecured devices access to customer’s
data. It is becoming crystal clear that non IT qualified employees no matter
how senior are not competent to properly assess the risk of data breeches. It is also clear that all devices capable of
accessing a corporate network should be barred from doing so or else have
strict controls placed on their ability to access data.
ESET Senior Security Researcher Stephen Cobb states
clearly that The phenomenon of organizations allowing or encouraging their
employees to use their own computing devices for work widespread in many
countries, bringing with it some serious risks to company networks and data.”
Regardless of how the eBay hack happened, whether it
was a BYOD breech or negligent IT policies we need to ask ourselves serious
questions about how we as customers continue to allow corporate leaders to act irresponsibly
with the information we freely give in the expectation of security.
The current trend of insecurely storing data on corporate
systems needs a hard and objective review.
My message to CEO’s is simply get your head out of the sand and GET A
GRIP! Put in place controls and end to
end security for all data. If you don’t
know how to do this hire someone who does and LISTEN to them. E-business offers
great opportunity but also great danger to you and your customers.
The good news is that it’s not hard to do. So
just do it!
No comments:
Post a Comment