classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory


Keeping data secure
April 2014, Cyber Security

With the ongoing trend to move data offsite on mobile devices, can we truly find ways of ensuring that this data is secure from prying hands and eyes? And is data security for mobile devices different from that for supposedly office- or home-bound data?

Richard Broeke, sales manager at Securicom.
Richard Broeke, sales manager at Securicom.

Richard Broeke, sales manager at Securicom, points out that in the past data stayed behind in the building when the employees left the office. However, with the advent of mobile devices, data is no longer in a controlled environment. The crux is knowing exactly where the data is and how access to it can be controlled.

Carey van Vlaanderen, CEO of ESET Southern Africa.
Carey van Vlaanderen, CEO of ESET Southern Africa.

Carey van Vlaanderen, CEO of ESET Southern Africa says that a regular issue they encounter in the market is the lackadaisical approach to corporate user domain policies, giving employees free rein to browse without restriction, as well as download and install software without informing the IT administrator. When this is coupled with poor user awareness, constant use of weak passwords and accessing corporate data from public Wi-Fi networks, companies are placing their client’s and corporate data at risk on a daily basis.

Gareth Tudor, CEO of Altonet.
Gareth Tudor, CEO of Altonet.

Gareth Tudor, CEO of Altonet, says that the data on servers is normally well protected by anti-virus software and firewalls. Therefore, the focus for companies needs to be on the mobile data.

Van Vlaanderen believes that two factor authentication (2FA) goes a long way towards combating user negligence, by removing the need for a poor password and replacing it with a unique one time password (OTP) which is generated each time data is accessed. This ensures that sensitive information can be accessed securely when working remotely and across various devices. Another level to this is the ability to encrypt data when sending information externally, and being able to decrypt the information once received, opened and stored. ESET provides security in all three of these areas: secure authentication, encryption and mobile security.

Tudor says that typically, locking devices automatically after a predetermined period of inactivity will provide a desirable level of protection for mobile device users. In essence, activation will require the use of either a password or a biometric, or preferably a combination of both. Passwords, he believes should be the last choice since most passwords can be hacked. Sadly, most users only decide to implement security measures once an incident has occurred.

What should be protected?

Often companies debate the issue of what should be deemed sensitive data. While vulnerable data varies from one organisation to another, most companies should protect that data that makes them stand out from their competition: their intellectual property.

Tudor says that any personal data is vulnerable and any company information that could cause harm to the company or other individuals when used for egregious purposes.

According to Van Vlaanderen, companies are required to protect any personally identifiable information (PII) of data subjects or juristic entities. They should also protect the systems that process this information. As a starting point, companies should perform an assessment of the way that they currently gather, secure and process personally identifiable information. If an organisation collects or requests personal information, that is, name, surname, address or even email address, it has to be processed and stored with care. For most businesses this could be a daunting requirement, but there are organisations that assist companies with this process.

She explains that to protect this data one should ensure that the systems that one uses should implement technical controls like encryption and organisational controls like identity and access management to ensure that only systems or individuals who are permitted to process the information are doing so.

Tudor believes that a complete lockdown of the system is essential to protect vulnerable data. Data is identified as such by the user and the parameters for its protection are also determined on an individual basis. However, all mobile devices should be subject to this form of control should they contain sensitive data; there should be no exceptions. In addition, any encryption should be applicable to a specific file, irrespective of whether it is loaded on an office system or a mobile device, including memory sticks.

Managing security

Broeke says that in order to ensure the success of a data security system, companies need to devise and thoroughly implement and monitor a mobile management programme. This strategy provides rules on where data can be moved to and how to access and store it correctly. Rules for infringement procedures should also be carefully explained to all data users. A third party specialist could be used to manage this service, thus eliminating the issues that arise from lack of updating of software and devices, and monitoring of the same.

The real risks to companies are a loss of reputation, client confidence and business through inadvertent loss of data. Additionally, malicious intent by disgruntled employees or external parties are threats to businesses today. Amazingly, some smaller companies do not believe they are at risk and therefore do not take precautionary measures. Mobility provides even greater risk than in the old, traditional space.

Information in the hands of unauthorised people induces a risk to personal self, opening companies and individuals up to blackmail, and the very real risk of confidential information being leaked – to the media, for example.

Data is nefariously acquired through the adoption of mobile devices and the ability to bring your own device (BYOD). Data that sits on unmanaged endpoints is the most susceptible to compromise and loss, says Van Vlaanderen. Security is of utmost importance when it comes to dealing with sensitive personal and corporate data. Companies must consider a multi-layer security strategy that duly protects PII, but also accounts for employee negligence. All too often external threats stem from the consistent use of weak passwords, unsecured networks and poor levels of access authorisation.

Cyber criminals are one step ahead of the average citizen, while they are usually only one step, or even closer, behind the technical boffins employed to reduce or eliminate risks. The use of malware and phishing is commonplace and poses a great threat.

Cold boot attacks occur when power to a device is cycled off and then on without letting the operating system shut down cleanly, or, if available, by pressing the reset button. A removable disk with a special boot sector is then immediately booted (for example, from a USB flash drive), and used to dump the contents of pre-boot memory to a file. This method has been demonstrated to be effective against full disk encryption schemes of various vendors and operating systems, even where a trusted platform module (TPM) secure cryptoprocessor is used.

One should not discount the insidiousness of insider attack. While the majority of security breaches are actually unintentional, there are still many instances of employees stealing data or forwarding it on to a third party.

The PoPI effect

Van Vlaanderen states that the PoPI (Protection of Personal Information) Act mandates that organisations should take all reasonable technology and operational steps to ensure the personally identifiable information (PII) that it holds or processes on a data subject is kept secure. This can take the form of encryption, conditional access and obfuscation.

Broeke adds that companies should always be aware of when a breach has occurred and then immediately notify the parties concerned. He believes that most companies that run ethical operations are already aligned with the outlines of the PoPI Act.

Van Vlaanderen provides a succinct summary of the main issue at hand. The use of mobile devices is one of the largest headaches for organisations. Users tend to demand that they have access to corporate systems when on the move and with this requirement becoming more prevalent, IT departments are facing challenges that are difficult to overcome. Having data on a mobile is as much a threat as having it in an unsecured network, due to the increase of mobile malware on unmanaged mobile devices or on the corporate network.

Simply hoping that you are unaffected because your employees are apparently trustworthy or assuming that because your business is an SME, is foolhardy. Data security is critical for anyone who places potentially vulnerable or harmful information on any device, whether it is mobile or seemingly immobile.

Contacts

Carey van Vlaanderen, ESET Southern Africa, 0860 373 872.

Gareth Tudor, Altonet, +27 (0)10 500 1500.

Richard Broeke, Securicom, 086 1591 591.


  Share via Twitter   Share via LinkedIn      

Further reading:

  • Data governance and the security industry
    June 2017, Technews Publishing, Cyber Security, IT infrastructure, Security Services & Risk Management
    So how does all the talk about data governance and data protection impact the security industry? Or does it?
  • Physical security is from Mars, IT is from Venus
    June 2017, Axis Communications SA, Cyber Security
    The days of separating physical and digital security are over. Today we need a collaborative approach to succeed in preventing and/or dealing with cyber attacks.
  • Card fraud stats 2016
    June 2017, This Week's Editor's Pick, Cyber Security, News, Security Services & Risk Management
    Credit card fraud increased by 13% from R331.4m in 2015 to R374.4m in 2016, with debit card fraud increasing by 3.1% for the same period.
  • Hikvision and Cisco collaborate on cybersecurity
    June 2017, Hikvision South Africa, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Cyber Security, News
    Cisco is sharing its professional cybersecurity management experience and technologies with Hikvision, facilitating Hikvision’s globalisation process.
  • Trusted Platform Module explained
    May 2017, Bosch Security Systems, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Cyber Security
    Bosch IP cameras, encoders and selected storage systems have an onboard security chip – actually a system-on-a-chip called the Trusted Platform Module – that provides functionality similar to crypto smartcards.
  • Procore Trading
    Securex 2017 preview, Cyber Security
    Procore Trading’s Intimus 9000 Degausser uses most modern APT technology to erase information from hard drives. The Intimus 9000 produces an erasing field many times stronger than those produced by the ...
  • Security skills shortage?
    May 2017, Galix Networking, Cyber Security
    We’re currently faced with a global information security skills crisis with an expected deficit of 1.5 million people within five years.
  • Niall Beazley looks at some of the issues end users should consider when deciding on surveillance solutions: you get what you pay for.
    May 2017, Vision Catcher, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions
    Niall Beazley looks at some of the issues end users should consider when deciding on surveillance solutions: you get what you pay for.
  • IoT running wild compromises security
    May 2017, Genetec, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Cyber Security
    Constant connectivity and the rapid flow of information may offer new and convenient ways to do business and create value, but it also places the corporate network at significant risk.
  • Are you afraid of the dark (net)?
    May 2017, J2 Software, This Week's Editor's Pick, Cyber Security
    Given the recent global malware attacks, you should be, argues John McLoughlin, MD, J2 Software. Worst of all, you are probably not aware you have been hacked.
  • Accelerating the community theme
    May 2017, Milestone Systems, This Week's Editor's Pick, CCTV, Surveillance & Remote Monitoring, Cyber Security, News
    Milestone Community Days EMEA (MIPS) in Dubai highlighted the company’s platform strategy, connected products for the small and medium-sized businesses and higher performing software.
  • Securing your security
    April 2017, Technews Publishing, CCTV, Surveillance & Remote Monitoring, Cyber Security, Integrated Solutions, IT infrastructure
    The digital age has not only seen the security industry migrate to IP, but is now forcing it to be aware of the latest cyber security risks.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.