Christmas phishing and a lax approach to securing data and devices over the party season make the end of the year a minefield for security professionals- but the risks don't end on January 1st. This month will see an influx of employees taking their shiny new Christmas presents to work, and it's likely to present a gift to hackers, as new warnings from consultancy firm EY would have us believe.
Millions of Brits have come to work with new smartphones, tablets and wearables this month, unwittingly introducing potentially serious new vulnerabilities into enterprise security networks.
As Massimo Cotrozzi, director, Cybercrime Investigations at EY explains, the new tech that enterprise staff bring into the office: 'could be now connecting via the corporate wireless networks to external cloud systems which, in the best case, have not been appropriately protected, let alone tested.'
> See also: Christmas time, the ICO and data crime
'Organisations that are unprepared could be caught napping while hackers are getting in, using employee devices, via the back door,' says Cotrozzi.
The usual risks of BYOD are amplified with so many unknown elements introduced.Those without Bring Your Own Device (BYOD) policies could be leaving themselves most exposed, but research indicates that companies aren't being proactive enough.
According to EY's survey figures, 84% of companies consider mobile security a medium or high priority area, but only 41% said they planned to invest more in covering the threat.
2014 also saw the rise in mobile malware with fifteen million mobile devices infected with malware according to a report by Alcatel-Lucent's Kindsight Security Labs.
'By taking a proactive approach, in terms of financial investment as well as monitoring threats and detecting breaches before they can impact the business, businesses can better understand where the risk for their particular organisation lies, and who’s likely to be targeting them, whether it’s hacktivists, organised crime or other entities,' continues Massimo.
As Jahmel Harris, security consultant at MWR points out, a new device doesn't always mean the latest software. A review by BlueBox of sub $100 tablets in 2014 showed that many of them are shipped with old and vulnerable versions of Android, security backdoors and mis-configuration.
'With BYOD, these devices can easily make it into offices dealing with sensitive information and, due to the fragmentation of Android, providing sign off for one type of device does not necessarily mean other devices will be configured in the same way,' says Harris. 'With any BYOD environment, care should be made to perform checks on devices, where the OS version, installed apps and root status are checked first.'
As different types of devices are introduced to users (e.g. Android powered watches – or wearables), there will be an expectation that these will be used in offices. The security impact of these devices are not always known and there is not always off the shelf solutions to support them in a secure way. Wearables pose a particular risk as they are so integrated in mobile devices which will be used in BYOD environments.'
With enough time, an attacker can bypass most attempts of blacklisting and poorly configured whitelists, so companies should have policies and practices in place to deal with what should be thought of as inevitable breaches. This includes monitored logs, the ability to wipe devices if they are lost, stolen or compromised and figuring out where the businesses high risk assets are.
'These high risk assets should have additional security controls in place,' says Harris, 'meaning a breach of a mobile device does not necessarily put the company at further risk that that accepted when implementing a BYOD policy.'