CS406: Information Security

Malware

Malware enables hackers to steal passwords and in some cases even creates an opportunity for the hacker to take control of the organisations computer systems, including those that run smartphones and tablets (Staut 2012). With the BYOD concept being adopted on an increased basis by organisations across all business sectors, it comes as no surprise that many organisations are increasingly being affected by malware. This is because of the fact that there has been an increase in the amount of new malicious smartphone and tablet targeting software. The Ponemon Institute LLC (2012) indicated that traditional security solutions that most organisations employ, such as antivirus, firewalls, and passwords, are not effective in stopping malicious or negligent employees of the organisation from deploying advanced malware into the organisation's computer systems. Users who access the Internet from their mobile devices are at constant risk of exposure to web-based threats, including data stealing malware. When a device downloads a new mobile application from any online application store, the software may contain malware that can steal or damage data on the device and, in some cases, even disable the mobile device itself. According to the CISCO survey results, 69% of BYOD users were using unapproved applications on their devices, which is difficult to detect. The recent increase in Android malware magnifies this problem. If an organisation fails to have proper internal controls in place to manage the risks associated with malware, the organisation could find itself being the target of some or other malicious malware attack which could have a disastrous impact on the organisation.

Data leakage

Each organisation has different types of data which they deal with on a daily basis. Some data types are more sensitive than others; for example, documents containing trade secrets or confidential client information would be more important than the organisations policy on whistle blowing. The risks associated with data leakage on mobile platforms have become a bigger problem than malware. It is for this reason that organisations should be interested in safeguarding their data in order to prevent unauthorised individuals from gaining access to what could be seen as their most important asset. If an organisation has deployed a BYOD programme, there is a high probability that employees will sync their mobile devices with their home computers. This increases the risk of data leakage as the employee's home computer may already be infected with malware such as Trojan horses and spyware which would compromise the security of corporate data. If the employee's home computer has any unpatched vulnerabilities, this will grant cybercriminals the ability to gain access to the mobile data that has been backed up, stored or synced onto the employee's home computer.

Willis (2013) stated that most mobile devices are designed to share data via the cloud. Rouse (2010) indicated that cloud computing involves delivering hosted services over the Internet. Whilst Cloud-based sharing and storage of personal data is convenient, employees may forward sensitive documents and presentations relating to the organisation to their personal emails like Google Mail or file storage services like Dropbox so that they can access the information on their mobile device at a later stage. This would create a 'shadow infrastructure' over which the organisation will have little to no control and will result in a direct increase in the risk of data leakage taking place. The Ponemon Institute found the average organisational cost of a data breach increased to $7.2 million and cost companies an average of $214 per compromised record. Failure on behalf of an organisation to safeguard their data through the implementation of proper internal controls could result in the organisation not only suffering legal action and huge financial losses, but depending on the extent of the breach, it could also cause irreparable damage on the organisation's ability to continue in the future.

Theft or loss of mobile devices

Mobile devices are popular amongst individuals of all ages. These devices are generally compact in nature, yet they have the ability to be used to perform tasks similar to most personal computers. It should come as no surprise that in a report prepared by IBM (2011) as well as research conducted by Markelj and Bernik (2012) that the most frequently seen mobile device security threats are the loss and the theft of these devices. The loss of a personal smartphone or tablet on which an employee has downloaded confidential data of the organisation creates an opportunity for a criminal to access the organisation's confidential information. This represents a serious security risk for the organisation. This is especially the case where the employee has not followed basic security practises such as locking the device with a strong password and encrypting sensitive data transmitted to and from the mobile device. Mobile data-bearing devices that were lost or stolen may contain sensitive or confidential information. The data stored on the device may be compromised if access to the device or the data is not effectively controlled. The risk of unauthorised access to the data is further increased as most organisations do not have the ability to remotely wipe a device if a smartphone is lost or stolen. Most employees do not know what to do if their device was lost or stolen. It is for this reason that users of mobile devices need to take some form of precautionary measure to ensure that they too do not form part of the population of individuals who have lost their mobile device or have had it stolen from them.

Connectivity of the device (Bluetooth and Wi-Fi)

Mobile devices offer broad Internet and network connectivity through varying channels including, but not limited to, Bluetooth and Wi-Fi technology. Anderson (2014) stated that when an authenticated device has other devices tethered to it, it may be possible for non-authenticated devices and users to gain access to the corporate network by connecting through the authenticated device. The threat to the corporate network is further increased as Bluetooth and Wi-Fi technology can be easily exploited to infect a mobile device with malware or compromise transmitted data. When a Bluetooth device is set on discoverable mode, it makes it very easy to scan for the device using a computer. Once the computer is connected to the device, it is able to download the private data located on the device. Users who make use of Bluetooth and Wi-Fi technology to connect to the Internet or to share information should be mindful that these channels may not be as safe as what they may have originally thought.

Web-based applications

Web-based applications are quite often designed by individuals who the owner of the mobile device may not know personally. Mobile device users normally download applications which are of interest to them onto their mobile devices. There are more than 700 000 apps in the Apple App Store and more than 700 000 apps in the Android Marketplace. When a device downloads a new mobile application from any online application store, the software may contain malware that can steal or damage data on the device and, in some cases, even disable the mobile device itself. It is not possible for application store owners to conduct in-depth code reviews of all applications. Anderson (2014) indicated that individuals are more than likely to use their personal mobile devices to access both personal and business applications. An IBM survey conducted on several hundred of their employees revealed that many of their employees were completely unaware which popular apps were security risks. The risks are further increased by the recent increase in Android malware. Web-based applications can therefore cause a substantial amount of damage to the organisations' IT infrastructure if the use of these applications is not properly controlled.

Compliance with laws and regulations governing the organisation

Complying with the laws and regulations governing the industry and geographical region in which an organisation locates should always be a priority for any organisation. Failure to adhere to laws and regulations affecting the organisation could result in the organisation being liable for large fines or penalties for breach of the relevant laws and regulations. McQuire (2012) indicated that organisations operating in highly regulated industries cannot afford any compromise to customer data records or the compliance requirements governing these industries. McQuire (2012) stated that in certain countries like Germany, the federal law concerning data protection stipulates that German company data must reside in Europe. Protection of Personal Information Act in South Africa and Sarbanes-Oxley Act when dealing with South African subsidiaries in a New York Stock Exchange-listed holding company have significant regulatory implications in this regard. Research conducted by Vodafone (2012) indicated that it is important that organisations ensure regulatory compliance, especially where employees are permitted to run corporate email on their devices, as this may be subject to some form of communication regulations. They also noted that it is more difficult to ensure compliance where the organisation does not own the device. Where an employee uses software purchased for their personal mobile devices under 'personal use' licenses for business purposes, the organisation may not be complying with the rules governing the use of the software and may be liable for the additional costs. There is a possibility that it will be more challenging for organisations to ensure that they are complying with the rules and regulations affecting them in the future. This is especially true with the constant technological advancements taking place and the manner in which data are shared and transferred from one device to another.

Obsolescence

New mobile devices are released into the market on a regular basis. The manufacturers of these devices have done a great job in convincing individuals to upgrade from their existing devices, even though the new devices may not offer much more than the user is currently receiving from their existing devices. Entner (2011) indicated that of the 14 countries which he investigated to determine handset replacement lifecycles, South Africans took 38.2 months before buying a new mobile telephone. The research indicated that the handset replacement lifecycle for South Africans in the previous year was 46.3 months. The most common practice with mobile phone companies is to have a new model or an updated model every year. Stylistic obsolescence is one of the driving phenomena that is occurring (particularly) in the mobile phone industry . If employees continue to upgrade their devices on a regular basis, it will have a direct impact on the IT department. They may not be able to cope with the regular upgrades and they may not be able to identify the risks associated with all the new devices being deployed into the system.