Cyberattacks becoming more common, sophisticated and severe
Mobile devices have become a mainstay at the workplace, whether for personal or professional use. But there are considerable risks — 75 per cent of Canadian IT professionals say these devices are the greatest potential risk to a company’s IT department, according to a recent survey.
“It makes sense why companies want their employees to use consumer-grade devices inside the enterprise, and have one platform for both home consumption and business as well,” said Ryan Wilson, chief technology officer, security, at Scalar Decisions in Toronto, which released the survey of 658 IT and security professionals.
But the challenge is to ensure any corporate data on these devices remains inside a “secure container,” he said.
Overall, the number, sophistication and severity of cyber-attacks on companies are on the rise, according to the survey. The average number of reported attacks on Canadian organizations rose to an average of 44 per year, up nearly 30 per cent since 2014. And the majority of respondents said both the severity (81 per cent) and sophistication (72 per cent) of attacks are increasing.
Additionally, confidence continues to decline among organizations for the third year in a row as fewer believe they are winning the war on security.
“A few years ago, I would have told you we are at least treading water, but we are hitting the point where, frankly, the pace of innovation for protecting ourselves versus the pace of innovation of the bad guys... we are falling behind on the good-guy side,” said Rob Clyde, managing partner at advisory firm Clyde Consulting in Pleasant Grove, Utah.
He blamed two new “very well-funded” types of groups: nation states and organized crime involved in attacks. “It’s big business.”
Because the criminals have lots of money, there is a natural “asymmetric advantage” on their side, said Clyde. “(As) the good guys, we have to figure every possible way the bad guys want to get in and try to put defences against that. But if you are a bad guy, you just have to figure out one way to get in.”
Variety of potential risks
There are “standard risks” such as a loss of data control, potential data breaches, and overall data and security concerns, according to Abhay Raman, partner, cybersecurity and resilience leader, at Ernst & Young in Toronto.
“Largely, all of these (security) compromises are happening because of malware infestation, ransomware deployment and phishing, which are user-driven.”
But there are even more risks companies will have to address in the future, he said.
“The number of devices or endpoints that an organization needs to manage is a lot more and it is going to get worse, once we look at smart fridges, smart this, smart whatever, in terms of IoT (Internet of Things) devices that will start plugging into the network.”
Wide-open access to a company network can be hazardous, said Clyde.
“If you do allow the employees to bring a device into the company — say their own smartphone — I would suggest that the policy be that the employees can only connect those devices through the guest Wi-Fi, not through the secure internal network.”
Another potential pipeline into a company’s network is through email, said Wilson.
“Phishing is the number-one vector where attackers are attempting to get users to click on something they shouldn’t.”
And the way some apps work on mobile devices brings its own set of risks, said Kurt Roemer, Citrix Systems chief security strategist in Chicago.
“One of the biggest threats is installing rogue applications where they ask for all kinds of permissions whenever you install an app, (such as) permission to access your contacts, your calendar,” he said. “You have individuals who are giving that newly installed ‘app of the day’ way more rights than it needs to, and it’s getting access to a lot of confidential data.”
That risk could spread to a company’s data, said Clyde.
“The most obvious is the employee’s device might be infected or compromised and when they plug it into the company network, that malicious code that is on that device could spread to other company devices inside the network.”
Even a seemingly innocuous action such as taking a picture of a whiteboard with a cellphone, and sharing it via email to other colleagues, can pose a risk, he said.
“Many of our smartphones now automatically upload those pictures to the cloud,” he said. Some of those images may then be shared automatically on social media networks and the “next thing you know, you’ve got company confidential information inadvertently being spread by otherwise well-meaning employees.”
IT solutions, challenges
If an employee’s phone is lost or stolen, companies are using password protection and installing remote data-erase functions onto the devices, said Raman.
“The organization has the ability to remotely wipe it in case you lose your phone. It has the ability to establish controls on it to make sure you can’t copy from that onto another application, you can’t take screen shots.”
Companies are also employing mobile application management (MAM) that allows for complete control over certain apps on a cellphone, according to Wilson.
“What MAM allows you to do is to password-protect specific applications,” he said. “We see a fair number of personal devices accidently get left in public settings, so you want to make sure that device is self-locking so if you do forget it, it will lock or you can wipe it.”
But creating a BYOD (bring your own device) policy is one of the first places to start, according to the experts.
“HR should work with the IT security organization (to ensure) such a policy is in place and appropriate training program about the elements of those policies are in place for the employees,” said Clyde.
BYOD training is still in its nascent stages in the corporate world but it is getting better, according to Raman.
“From an HR interaction standpoint, we are starting to see… strong enforcement of policies, a good understanding and signoffs from an acceptable-use point for their BYOD devices.”
However, many companies know their initiatives are out of date, found a Citrix survey in January of 4,268 IT and IT security practitioners in 15 countries, including 265 from Canada. Three-quarters (73 per cent) feel their company’s security framework is “outdated and inadequate.”
“Policies were written for everyone going into the office and using the company’s equipment, services and never having any of that leaving the facility — they don’t necessarily apply to what’s going on today,” said Roemer. “What’s been put in place doesn’t reflect the realities today of highly mobile and even nomadic workers in a lot of ways: People bringing their own devices and people using cloud applications.”
Another challenge involves the differences between what IT professionals want and what employees need to do their jobs.
“Generally, there is a disconnect across the board,” said Wilson. “If you don’t have a strategy that is aligned with your business, how are you ever going to win or be in a position where you are able to defend the company properly?”
There is a balancing act that must be accomplished.
“How much security can the organization push down to the mobile device and not impact the user experience?” he said. “It’s finding that balance between allowing your users to use that consumer-grade device and accessing all those wonderful apps and the things they want to do on a personal level, but then ensuring that data from a business point of view remains secure.”
Training essential, but lacking
Employee training and communications are also key parts of what HR should be facilitating.
“For HR departments, it’s helping to understand how people are working, what they need and then letting them know how they should best be utilizing these devices securely and not have a very labourious policy, but very simple steps that help people to understand how to protect themselves, protect the organization, and protect the customers and everybody else that integrates with them,” said Roemer.
HR should be conducting regular user-awareness training, said Wilson.
“Most organizations that I have been involved with do yearly security training. I do not believe that is sufficient to be able to reinforce the concepts to end users and keep them top of mind.”
Training should be done in a “programmatic way” and completed at least four times per year, he said. “Quarterly is a much better approach.”
The investment in training should pay off in terms of fewer security incidents, said Raman.
“There’s enough literature and research to prove that a more educated user is better prepared for the types of threats that we see today, than an uneducated one.”
But some experts believe the level of education remains low, said Roemer.
“We’re finding there isn’t enough training: It’s very shallow in a lot of organizations with companies not having formal BYOD polices — people are figuring out how to do this (on their own) and it is word-of-mouth.”
With a phishing test (in which a user clicks on a malicious link sent via email), even after training, ignorance can persist, said Wilson.
“Once you have reinforced that user training and shown them what to look for — even though you have educated them well — 10 to 15 per cent of users will still click that link.”
Organizations are starting to do a better job of user awareness training and outlining the expectations of using this personal device while people are at work, but there is a lot of user awareness that needs to go into an effective bring-your-own-device program, he said.
“Every organization that adopts BYOD should have an acceptable-use policy that is reviewed with every new employee in the organization and refreshing it on a regular basis.”
The dialogue should also be happening early with new employees.
“This is an onboarding type of conversation,” said Raman.
Encouragingly, the level of knowledge about what could go wrong is rising.
“Employees are more aware than they used to be,” said Clyde. “(But) we have a long ways to go.”