Our offices are everywhere nowadays – largely because we can communicate with coworkers via smartphone, laptop, tablet and conference calls.
However, this new level of connectivity brings with it a new landscape of risk.
“The dependence on technology is growing significantly,” said Jeff Spivey, vice president of strategy at RISKIQ in Charlotte, N.C. “We’re moving away from PCs to laptops and smartphones. Those are a center of communication, of data, intellectual property, contacts and emails. All of that is accessed or resides on smartphones.”
Risks arise with mobile technology without the users even realizing it. Spivey asserted that businesses need to be taking steps to safeguard the data contained on employees’ mobile devices.
Smartphones might seem like a major boon when you’re answering work emails and downloading the latest update for your Kwazy Cupcakes game, but criminals are targeting mobile devices. Picking up a malware virus on your smartphone can be transmitted to a laptop and then on to your entire professional network.
“The vulnerability of smartphones to hacking and somebody getting into it has grown significantly,” explained Spivey, who is vice president of the international board of Information Systems Audit and Control Association (ISACA), and is conducting several sessions during this year’s annual RIMS Conference. “It’s more than a smartphone. You may have a USB that you use on a personal computer that you move over to your work and now you’ve infected your work computer with the malware.”
He also cited the issues presented by the “bring your own network” trend. Via BYON, a smartphone can be used as a hotspot, potentially revealing company information to outsiders. An enterprise consists of more than the employees – it includes any vendor connected to the network and its technology. And that can mean unintended access.
The possibilities of that unintended access may seem like the territory of science fiction writers. Spivey described malware viruses that sneak onto a device and allow the “bad guys” to listen in on phone calls, take pictures with the user’s smartphone camera, steal contacts and emails. He cited a “flashlight” Android application sued by the Federal Trade Commission (FTC) over claims that it violated consumers’ privacy by transmitting personal data and location information to third parties. The app’s user agreement mentioned the collection of data, as many do, but without full disclosure of its use.
Spivey added that the view of mobile technology risk needs to be of concern to more than a company’s chief information security officer (CISO). Addressing the risk should be part of a company’s overall enterprise risk management (ERM) plan, and executives at every level need to fully understand the problem.
“Managing any risk, particularly these technology risks, has to do with the people, the processes and the technology,” he said. “If we do not have that framework, we’re already behind the eight-ball and we’re never going to catch up.”