By Peter Matthews, CEO, Metro Communications
Threats to corporate data security are not confined to static computer hardware. But despite high profile cases of mobile phone interception, vulnerabilities generated by voice conversations are still being seriously underestimated throughout the finance industry.
A survey of asset management and investment companies by Wandera found that just one sixth of businesses protect their company mobile phones. Interestingly, it also warned that staff were three times more likely to succumb to phishing attacks on their mobiles than on their desktops. Why?
Perhaps it is because spoken words have no physical form or something to do with the way we respond to a familiar voice, but in my experience, people tend to be less guarded when they communicate over the phone. If emails are private, phone calls are personal. If emails are black and white, phone conversations are colour; the places where we share opinions, exchange confidences and explore issues in-depth.
When we send an email we describe it as travelling across cyberspace. When we’re on the phone, our reference point isn’t ‘the ether’ but the individual or individuals we’re speaking with (and physically seeing during a video conferencing call). This sense of informality and privacy is the next best thing to talking face to face, and it leads to unguarded conversations that can be highly lucrative to hackers.
We may never know how much information was gleaned from the alleged attempted hacking of phones belonging to Qatar’s Emir, Sheikh Tamim bin Hamad Al Thani, and Saudi Prince Mutaib bin Abdullah, reported last month by the New York Times, but the Pegasus spyware implicated in the attack is reported to cost $500,000 to install and $65,000 for each target. The government agencies who buy it and the disgruntled member of staff who reportedly attempted to sell the stolen code on the dark web for $50 million, clearly think it’s worth the investment.
Businesses need to remember that:
- conversation is data transfer, equivalent to sending a file explaining what you are planning and doing, where, when and with whom
- information is currency, pure gold to hackers seeking to impersonate an individual and exploit their location, business dealings, contacts and relationships
- mobile phones are entry points, and hackers will take advantage of the weakest link to infiltrate computer systems
- mobile devices are part of the IT estate, even if you operate a bring your own device (BYOD) policy
- where there is data there is risk, don’t equate the size of the device with the size of the risk
Mobile devices are places where personal and business data mingle, creating additional layers of vulnerability. An estimated 10% of employees download and play games on their corporate devices on a daily basis. In order to do so they unlock their phone’s front doors to let the visiting app in and many leave it permanently open, making it easier for hackers to install eavesdropping malware that might not be detected for years, if at all.
While no business leader or cyber security information officer would ever suggest that ‘big cyber’ causes major problems while portable devices are a low-risk speck in their peripheral vision, it is certainly the case that investment in cyber security tends to focus on protecting an organisation’s large, static computer hardware whilst mobile devices remain unprotected.
Every organisation owes a duty of care towards its data. This obligation links responsibilities to customers, employees, shareholders, partners and everyone in between and it means that businesses have a responsibility to promote a security culture, not a blame culture.
Secure mobile phone communications should be a standard part of a multi-layered and wide-ranging response to cyber security. Raising awareness and understanding human behaviour is a vital part of this.
Where staff have unlimited minutes and data on their work mobiles they may see no harm in visiting unsecured websites, connecting over untrusted WiFi or downloading gaming and gambling apps from unknown sources. Ensure they are aware of the risks and take action to secure confidential communications held on mobile phones, including video conferencing. Consider acceptable use policies, enterprise management solutions (including so-called ‘agentless’ solutions), regular phishing exercises and secure communications apps.
Cyber security is ultimately about data, not devices. However, devices are important points of entry and some are routinely overlooked. We might be using our mobile phones less to speak and more to text on a personal level, but remote working and international business groups mean that the business voice and conference calls are alive and kicking.
Much of what has been written about the psychology of cyber security focuses on the techniques used by hackers to manipulate their targets into doing things they otherwise wouldn’t do, such as clicking on phishing emails. But once they have access, hackers are increasingly taking advantage of something that comes naturally to us: speaking openly on our mobile phones. It doesn’t pay to have a blind spot.
For more advice about how to protect your mobile phone conversations, contact Metro Communications.