Steve Whiter, Director, Appurity looks at forms of communication, the security risks involved, and how this has evolved.
The way we communicate has evolved dramatically since the invention of the telegram back in the 1800s. Another evolution (of sorts) has been largely brought about by the challenges of COVID-19. The global pandemic saw global institutions having to adapt to an entirely remote working model, almost overnight. In addition, the number of communication tools available to organizations and their employees has taken off in the last 18 months or so. This is especially true of the likes of WhatsApp and Zoom, for example – once used almost exclusively for personal use but driven into the hands of enterprise as an answer to the communication challenges of a largely disparate workforce.
And so, with more flexible working patterns, With workers no longer tied to an office desk and with technology providing the support for people to work from anywhere, what are the challenges from a security perspective? What problems arise when you increasingly blur the (technological) lines between your work and your personal life?
As we have seen, technology has been a great enabler when it comes to dealing with a predominantly remote / working from home (WFH) workforce. Organizations of all shapes and sizes and in every sector imaginable, have relied upon technology to keep their people connected, communicative, productive, and secure.
A great example of this is the smartphone (smart device). In the UK alone, it is projected that the mobile internet penetration rate could be as high as 75%. This translates into big numbers of people that own such devices and use them constantly to access the internet. Smart device usage throughout the pandemic has likely increased considerably with the numbers of people remote working, WFH, etc. And herein lies a major security headache for organizations because many people simply assume that their smart device is safe and secure to use.
They tend to do things on these devices that they wouldn’t do on their office PC or laptop, for example. Remember, your phone isn’t impervious to cyberattacks and hackers can steal all kinds of sensitive data from these devices – and not just your personal information, if you are using your device for both work and play then any breach can potentially access proprietary company data. A perfect illustration of the negative outcome of when you blur the lines between work and play.
We mentioned some popular communication tools earlier, perhaps none more so than WhatsApp. Owned by social media giant Facebook, WhatsApp is the leading messenger app globally with an estimated 2 billion users. And whilst it started for many of us as a means to communicate with friends and family in our personal lives, it has successfully woven itself into the world of enterprise, especially so when so many of us have been WFH during lockdown periods.
But WhatsApp offers end-to-end encryption so it must be safe to use right? You might be surprised to learn that Signal (a WhatsApp competitor) is the best option for user privacy. It uses the least amount of data access compared to WhatsApp that collects all manner of data – Device ID, User ID, Advertising Data, Purchase History, Contacts, Payment Information to name but a few.
And it’s hard to talk about messaging security without talking about Pegasus. A joint investigation by Lookout and Citizen Lab revealed that this highly advanced mobile spyware had been used on business executives, human rights activists, journalists, and academics amongst others.
It came to light that NSO Group, an Israeli-based company behind the development of Pegasus and a leading figure in the spyware industry was in fact behind these hacks. It pushed WhatsApp to file a major lawsuit against the Israeli company whereby the messaging giant revealed that victims of the hack had received phone calls using its messaging app and were consequently infected with the Pegasus spyware.
Today’s mobile devices are very powerful. They can access the same data as a PC but from anywhere. This in turn massively increases the attack surface and risk for organizations. This is because many of these devices are commonly used outside of the organization’s security perimeter. Therefore, employees who can access sensitive company data or resources whilst using their device of choice, present a very attractive target for cybercriminals. Mobile phishing can be especially lucrative for cyber attackers with mobile malware delivered to victims via a phishing link – smaller screens on smart devices make it even easier for phishing success compared to if an employee is working with a larger screen (office PC or laptop).
Mobile security is therefore vital where devices and apps pose a major risk. Organizations must safeguard information in the cloud while providing better access to data. Building security from the start is essential. Endpoint security assessments will help you understand where your weak points are and what should be done. With the correct endpoint security, you can help your employees to protect their (and your) data, to stay securely connected, and uphold privacy and trust. On the basis that people can, and will, work anywhere and often use their devices for both work and play, organizations need to ramp up the security of their communications.