By Alan Thomas, a technology & media executive at the specialist insurer Hiscox
Travel anywhere on a plane or train these days and you’ll no doubt notice that you are surrounded by people using a smartphone. They are an extremely useful modern tool that is used by many companies and individuals alike to keep in touch and do work while on the move. There are security risks involved in using them, however, which need to be thought through and mitigated.
Despite the added security risks associated with smartphones, and their increasingly popular use as effectively a personal computer in your pocket, most mobile devices today still only have the same basic security features as a 1998 PC.
Over the years mobile technology has revolutionised the way we live, work and communicate around the globe. The convenience and versatility offered by smartphones has made it easier to overlook the security aspects associated with the devices, but this attitude cannot go on forever. Increasingly malware aimed at Google’s open mobile Android Operating System and other mobile OS’ is finding a home on unsuspecting users handsets – managers’ at large businesses running a ‘mobile estate’ should be aware of these and other risks that are out there.
Smartphone users can often be careless with their devices adding to the security risks. According to a 2011 report by McAfee and Carnegie Mellon CyLab, entitled ‘Mobility & Security: Dazzling Opportunities, Profound Challenges’, which surveyed 1,500 respondents in 14 countries, including the US, UK, Germany, Japan, India and Mexico, about half of users keep passwords, PIN codes or credit card details on their mobile devices. In addition, one-third of those questioned keep sensitive work-related information on their handsets. There is also always the risk of losing an employee handset where the ‘timeout’ is faulty or still active, potentially giving criminals unauthorised access to company data.
As a result of security weaknesses, data that is stored and transmitted on mobile devices is at risk. As the value of data rises and mobile devices begin outselling PCs—as Morgan Stanley predicts will happen in 2012—the need for risk management and security measures becomes even more acute.
Lagging security requires rapid change
Since mobile security is, in my opinion, already lagging behind PCs by a decade or more it has to not only catch up with tech that is already widely in use but to also simultaneously anticipate and outpace popular new developments, particularly in regard to social media which is opening up a whole new arena of potential security threats.
Another possible new threat vector is the ‘mobile wallet’, which can have in-built loyalty schemes for online or store-bought goods. Bank-administered Mobile Contactless Payment (MCP) schemes, often including Visa or MasterCard and a Mobile Network Operator (MNO) are also increasingly to be found – La Caixa bank in Spain is running just such an MCP scheme in Sitges and in Ibiza with Visa and Telefonica. Smartphones require Near Field Communication (NFC) chips to offer such services as they enable fast, easy Point-of-Service sales and can sit next to a Secure Element (SE) in the handset. The advancement of NFC Technology means that mobile payment, loyalty and m-wallet schemes are poised for massive growth and present new security risks to individuals and businesses alike.
With the landscape changing so quickly, it’s important that Small to Medium-sized Enterprizes put steps in place to mitigate mobile security risks through a comprehensive strategy. This can include preventative actions, staff training (if it’s a work mobile phone), anti-virus systems, on-going vigilance and privacy-data breach insurance.
A significant number of people use their mobile devices for business and personal e-mails, social media, document creation and storage, web browsing, e-commerce and other purposes. Given people are not always aware of the emerging risks involved in using mobile devices, having a company-wide enterprise approach can help give clear guidelines on basic risk management steps.
As many employees use the same password for several accounts, increasing the security risk, they should be encouraged to use strong passwords that are unique to their work devices and companies should mandate that they change them at least monthly.
There are also infrastructure steps you can take. To help maintain the security of data, if you supply employees with a mobile device, stick to one type from a single manufacturer. This can make it much easier to track and monitor data and deploy an emergency response if control and access is centralised.
Simple carelessness can lead to loss or theft of a mobile device. There have been plenty of data breaches because laptops have been misplaced or stolen, and mobile devices are equally as vulnerable. The McAfee and Carnegie Mellon CyLab report cited previously found that four in 10 organisations have had mobile devices lost or stolen; and half of those devices contained business critical data. Security needs to start with the device itself and an instant response plan should be in place in the event the device is lost or stolen.
Preparing for mobile wallets
Mobile wallets and standalone MCP or stored value schemes, such as Barclaycard and Orange’s QuickTap launch last year, all use NFC technology. This is expected to be the next big thing in 2012 and beyond – receiving a boost from associated Olympic Games marketing this year – as companies look to use NFC-enabled contactless devices to deliver ease of payments and speedy transactions. Lloyds Banking Group, for example, has an ‘Olympic phone’ for 2012 with fellow Games sponsors Visa.
Any NFC-enabled phone should have all the standard security measures, such as strong password protection and encryption, but as with most devices there are additional risks and precautions that should be taken. There is the danger of a ‘walk off’ – accidentally leaving behind a phone where an application has not timed out quickly enough, enabling a thief to misuse the previously opened access. A simple solution to this is an alarm that activates when the phone is too far away from the user.
NFC-enabled devices can also be subject to eavesdropping and data disruption. While the solution for both would be to use SSL encrypted tunnels, like those used in internet transactions, it is as yet unclear whether mobile devices will be able to support SSL encryption.
Retailers and service providers taking payments with NFC-enabled phones will have their own security issues. Customers could have their credit card and payment data intercepted at the place of business. This could result in minor annoyances, such as unwanted advertisements, or more serious problems like the loss of customer trust, reputational damage, identity theft and legal liability.
With NFC, there is a complex web of responsibility which can be time-consuming and expensive. The retailer, bank, card scheme, MNO, payments processor and other organisations can all potentially be involved in the transaction so sorting out clear liabilities is crucial. Many will be trying to disintermediate the other of course, further complicating matters.
Ensuring that the reader at the point of purchase is secure and Payment Card Industry (PCI) compliant can help to manage this risk. Encryption or an equivalent protection measure can also help protect the transaction data.
It is also critical to understand – and get the most favourable terms – into the contract with the reader’s supplier (typically a card scheme and its hardware partner look after the so-called acceptance infrastructure). This reader should be secure and the contract should specify who is responsible for a security problem. While none of these methods are foolproof, they can reduce the likelihood of a data breach.
Data breach insurance is essential
While prevention and risk management can help reduce data breaches, insurance is essential to protect against the costs and liabilities associated with a breach that compromises personal information. Many policies typically cover notification costs, forensic services, credit monitoring, legal assistance, identity restoration and public relations services. They will also cover specific exposures, such as personal health data breaches.
As several trends converge in the mobile commerce space, the risk landscape is becoming more complex. Mobile communications – not to mention payments, remittances, trade authorisations and so forth – are accelerating quickly and although it’s challenging, security needs to be one step ahead of these accelerating risks.