Mobile communication - five security traps
Smartphones and tablets offer numerous gateways for cyber criminals. That is why operators of critical infrastructures in particular must protect their mobile communications from a wide range of security risks.
The challenges regarding IT security are continuously increasing for energy providers, hospitals and transport companies. Mobile devices, for example, have long been a natural companion in everyday working life: they are used to transmit sensitive data and confidential content without being integrated into the same strict security measures as local workstation computers.
According to Virtual Solution in Munich, the following security risks present IT managers with major challenges - especially when it comes to tolerating private devices for business purposes or the private use of business cell phones:
- Use of unauthorized apps: Users are used to trying out a new app. Whether it is actually safe from malware or complies with the guidelines of the General Data Protection Regulation is not questioned. The EU data protection regulation DSGVO stipulates that personal data must not end up in any app without the consent of the person concerned. However, popular services like WhatsApp in particular cause unintentional data leaks: The messenger reads out the address books of employees, including email contacts and phone numbers of colleagues, customers or partners, and passes this data on to the parent company Facebook.
- Unsecured WLANs: In hotels, on the train, in cafés - mobile devices now use WLAN connections more frequently than the mobile network. The problem is that most hotspots are not encrypted. Although this gives users convenient access, it also leaves the door wide open for hackers to tap into access data and read the entire data traffic. In addition, the hotspots can be freely named, which increases the risk of network spoofing: Fraudsters can use a supposedly familiar name to lure users into their WLAN.
- Mixing private with official: If employees use their private devices for business purposes - in line with the BYOD (Bring Your Own Device) or COPE (Corporate Owned, Personally Enabled) model - or vice versa, data is often moved back and forth between the business and private spheres. This is the case, for example, when business files are temporarily stored in a company's own Dropbox account. For companies, however, it becomes difficult to comply with the guidelines of the GDPR, copyright regulations or retention obligations - and at the same time, the level of protection decreases.
- No password protection and no encryption: Mobile devices can be lost, stolen and thus fall into the hands of unauthorized persons. If the smartphone is insufficiently secured, i.e., a weak password or no password at all is present and certificate-based authentication is missing, it is relatively easy for criminals to gain access to the data on the device. Once it is cracked, they usually also have access to cloud, file sharing or networks, and thus access to sensitive corporate internals. Encryption is also not usually standard for mobile communications. However, if data is stored and transmitted unencrypted, the risk of unauthorized access from the outside increases dramatically.
- Unpatched devices: Updates for the smartphone operating system as well as the downloaded apps are often annoying for the user, but unavoidable. This is the only way to close security gaps caused by errors or vulnerabilities in the applications before an attacker can exploit them. With BYOD models in particular, however, it becomes an almost impossible task for IT managers to check whether the smartphone of each individual employee is up to date.
"In the digital age, the protection of critical infrastructures also requires new ways and means for mobile communication," explains Sascha Wellershoff, from Virtual Solution in Munich. "The answer to this is a container solution such as SecurePIM, which strictly separates the official from the private area on the mobile end device. Should an attacker actually gain access to the smartphone or tablet, he is then virtually standing in front of a burglar-proof door. Data and documents are stored in encrypted form according to the highest standards and are also transmitted end-to-end in encrypted form. At the same time, compliance with the DSGVO is guaranteed. A high level of user-friendliness is also very important: corporate apps must be just as easy to use as people are used to from their private apps - only truly used solutions increase protection against cyber attacks on mobile end devices."
Source: Virtual Solution