Nikola Blagojevic, CFE, CISA
In the past decade, public- and private-sector organizations have greatly increased their use of smartphones for their employees — they're now ubiquitous. Upside: simple and quick communication. Downside: Smartphones are easily lost, stolen and susceptible to cyberattacks because of their technological vulnerabilities. According to the CNBC article, Biggest cybersecurity threats in 2016, by Harriet Taylor, Dec. 28, 2015, "The evolution of cloud and mobile technologies, as well as the emergence of the 'Internet of Things,' is elevating the importance of security and risk management as foundations."
Smartphones are more at risk in certain areas — hotels, coffee shops, airports, cars, trains, etc. And home Wi-Fi connections can be potential risk areas if users don't properly secure them. An attacker could easily access confidential personally identifiable information (PII) and data, such as:
- Personal or professional data (emails, documents, contacts, calendar, call history, SMS, MMS).
- User identification and passwords (to emails, social networks, etc.).
- Mobile applications that record PII.
- Geolocation data about the smartphone user.
Poor configuration of particular smartphone parameters can also lead to security breaches. An attacker can initially target a smartphone that contains little or no classified data but then use it as a steppingstone to build a more complex attack to obtain access to sensitive applications or confidential data. For example, a hacker can use various seemingly unimportant pieces of data to social engineer victims to gain more information that could enable him to stage a successful attack.
So while it's crucial that CFEs are aware that mobile devices — smartphones and tablets — bring fraud risks to organizations, it's also critical that they know the risks of using their own mobile devices in professional settings.
Understanding and mitigating the risks
The European Union Agency for Network and Information Security (ENISA) has defined 10 major risks for smartphone users:
- Data leakage resulting from device loss or theft.
- Unintentional disclosure of data.
- Attacks on decommissioned smartphones.
- Phishing attacks.
- Spyware attacks.
- Network spoofing attacks.
- Surveillance attacks.
- Diallerware attacks: an attacker steals money from the user by means of malware that makes hidden use of premium short message services or numbers.
- Financial malware attacks.
- Network congestion.
We can use these risks (listed from high to lower risk) along side the ISO 27002 standard to review professional use of smartphones within organizations. Internal auditors might not have the technical expertise, so you could hire external experts with specific skills to perform the proper tests. External experts also provide necessary independence for testing organizations' security measures.
Here are various measures that can help reduce the risks associated with mobile devices:
- Encrypt mobile devices.
- Regularly update mobile devices' applications and operating systems.
- Set strong passwords. Each personal identification number (PIN) should be at least eight digits long because a four-digit PIN can be easily broken. Alphanumeric passwords should be at least eight characters long and shouldn't use common names or words. An easy way to help create a memorable password is to use a favorite sentence. For example, you can create a password from "The ACFE is reducing business fraud worldwide and inspiring public confidence." Use the first letters of each word and replace "a" and "i" with "@" and "1," respectively. Following this method, the password would be: "t@1rbfw@1pc."
CFEs should safeguard security for their professional smartphones and those in their organizations because they're often laden with confidential company information. (Of course, CFEs shouldn't forget that paper data can be equally confidential and necessitate adequate security measures, but that's for another article.)
Find even more tips on how to guard your PII in the full article on Fraud-Magazine.com.