Mobile phone security is still a blind spot for some CFOs, CEOs and investors. Business strategies to prevent cyber-attacks often focus on servers, computer systems and the cloud, yet it is smartphones and tablets that are the new end point. Below Peter Matthews, CEO at Metro Communications, discusses six simple ways CFOs can make the most of their own and their employees’ phones, without compromising on security.
Research from Gartner shows that 27% of corporate data traffic will bypass perimeter security by 2021 and flow directly from portable devices to the cloud.
These mobile gadgets may have increased productivity immeasurably, but their escalation has also increased the risk. There is much more valuable data held on mobile phones than most users would credit. Documents, chat messages, videos, voice calls, texts, address book, calendar and location are all data, all valuable, and - to the right criminal – all worth stealing.
The uncomfortable truth is that with 72% of large UK companies experiencing a cyber breach in 2017, all business leaders have to take action to increase their awareness, secure all of their communications and ensure they can quickly recover from any damaging action. The key question is how?
- Don’t use open WiFi or consumer apps for sensitive business conversations: Whether your staff are working from home, the car, the office or a hotel room in Timbuktu, confidential communications should always take place over secure WiFi. Don’t be tempted by that open network in a local cafe, even if it’s more convenient. It is also worth remembering that consumer apps, such as WhatsApp, encrypt the content of conversations but don’t protect metadata which includes information about your location, the date and time of calls, recipients’ phone numbers and your contacts list. Apps certified by a third party, such as the National Cyber Security Centre, ensure that nobody outside of your organisation can access your metadata.
- Increase intelligence and awareness: Don’t expect your chief information officer to take sole responsibility for maintaining secure communications. In the words of KPMG, ‘security is not just an IT issue’ - it must be built into behaviour and processes throughout the whole organisation. For example, knowing the provenance of apps, creating verification and authentication processes or encouraging staff to use ‘message burn’ facilities to destroy sensitive text messages after they’ve been read will help create a safe environment for valuable data. A culture of awareness, supported by a policy which includes a clear chain of accountability, may be the closest you can get to a human firewall.
- Get expert help. Mobile phone hacking is not a cottage industry, it is a global activity. Consider building relationships with information security consultants who know the landscape inside out, have access to leading edge technology and can advise on prevention. Including relevant partners and suppliers in these discussions will help you apply minimum standards to ensure hackers can’t access your data via ‘weak links’, beyond your corporate walls.
- Control personal devices: According to a UK government survey, companies that allow staff to use their personal phones for work are more likely to experience breaches because they often find it difficult to manage security and impose technical control on personal property. Mobile device management (MDM) platforms can barricade and secure business data and delete sensitive corporate information when a staff member leaves. A recent analysis of the top ten best MDMs by TechRadar is available online.
- Set up disaster management procedures: If your organisation succumbs to a cyber-attack, using the very platform that has been compromised – for instance, your computer system - to report or manage the situation can make matters worse. In fact, the initial action might well have simply been ‘bait’ to help the hackers gain access to new passwords and security information, and prevent key messages from being delivered. A separate and secure communications channel, where messages and voice calls are kept private, will – in these circumstances - help you to safely repair the damage and carry out essential discussions with your senior team so that your business doesn’t grind to a halt.
The proliferation of mobile devices, wireless internet, insecure apps and the Internet of Things, aided and abetted by cheap hacking tools, means that any approach to cyber security should include an assessment of mobile security to keep pace with emerging threats. For CEOs and CFOs in the UK and beyond, doing nothing is not an option.