At the end of last season’s Homeland, a Showtime drama, a pacemaker was hacked, causing the death of a pivotal character. That’s just television, right? A creative unreality where viewers are asked to suspend disbelief in order to enjoy the program? Actually, and scarily, such technological scenarios may be entirely possible in the future, thanks to the Internet of Things.
“The more we are connected, the more dangerous it gets,” said Noah T. Leask, CEO & President, ISHPI, in an interview with Mobile Enterprise. The Internet of Things is a trendy smarthouse and car, he said, both of which can eventually be hacked, and possibly cause mayhem, if not only inconvenience.
Isn’t that just a conspiracy theory?
“If it can be connected via an electronic signal, we can make it do something,” he said. Just think about what someone might be able to do with a cell phone and a pacemaker in the middle of a restaurant, he said. And frighteningly, no one would ever know.
More likely though, the attacker would choose to use his “cyber weapon” as a platform, to sniff every cell phone in the place, steal passwords to multiple bank accounts, take the money, and by the time any end-user has noticed, the hacker has already withdrawn funds into hard currency.
“We are in danger with mobile phones. 100%.”
Here, There, Everywhere
A first runner-up in this year’s National Small Business Awards, Leask, a U.S. Navy veteran, started a cyber-defense business out of his home with his wife Lisa, a former U.S. Naval officer. The company works with the U.S. Central Command and the Department of Homeland Security among other agencies.
“The way we view cyber — and it’s disturbing to some — but cyber is not tangible,” he said. The U.S. military covers sea, air, land and space, for example. The doorstep to cyber, on the other hand, “is on our hips.”
“You wouldn’t knowingly live in a battle zone. If you want to do so, you would fly to somewhere where fighting is going on.” With the prevalence of smartphones and tablets in daily life, however, “you are now connected to a ‘war fighting domain’ every single day.” It’s long overdue that these devices require protection, he said, specifically with the same kinds of security products that we have on our desktops.
That alone will take care of the 90% of the issues out there for the general user, he said. Unfortunately, the other 10% may not be stoppable - those who can get at your information and can, simply because they are experts at it. They will create exploits they haven’t even thought of yet, Leask said. Indeed, Symantec just recently announced what they believe to be the first ransomware for Android. If that takes off, what other viruses are in store?
Worse, all this can lead to more than someone stealing cash or identities from end users, but to corporate data theft and cyber-terrorism, where not only infrastructure is at risk, but the populace’s general well-being. “Terrorism, that’s what’s it about, to cause fear,” Leask said. A series of incidents over time will cause a sense of uneasiness and agitation among civilians.
How can all this be prevented? Where does the responsibility lie? “Being a libertarian, it’s incumbent on the individual,” he said, to protect one’s own devices. However, government obviously has the responsibility to protect information regarding the country.
Alarming Risk for Business
With privacy on many minds these days, protecting the country, or protecting the enterprise’s corporate assets via data, brings up several concerns to say the least. The Ponemon Institute recently released this year’s “The Risk of Regulated Data on Mobile Devices” study and the results are alarming.
Conducted on behalf of WatchDox, a provider of secure mobile productivity and collaboration solutions, the study shows that 73% of organizations have little control over protecting regulated data on mobile devices. Worse, more than 80% of the participating IT professionals are not aware of how much regulated data is even accessible, either on cloud file sharing services or mobile devices.
Yet, 67% of respondents worked for organizations that are obligated to comply with U.S. and state privacy and data breach laws. Very few, however, realize that these laws include mobile devices — both corporate-issued and personal devices used for work. (Only 18% of survey respondents claimed to be aware of this fact.)
"This is indicative of a bigger problem,” said Larry Ponemon, Chairman and Founder, Ponemon Institute, in an interview with Mobile Enterprise. Companies are collecting more and more personal information without understanding the compliance, he said. And while specific compliance requirements may vary between sectors — a utility is different than a bank or healthcare provider, for example — in all cases the basic tenet is this: end points that connect to the network need to be secure.
In addition, “regulated data” is typically considered to be personal information but it’s actually not that alone — the term also refers to intellectual property. Ponemon cited the recent Edward Snowden scandal as an example. In that case, “the data leaked was about the process, not people.” Most information about a power grid, from its interface and smart meters, etc., is considered regulated data and must be protected. Bottom line: A breach in regulated data can lead to a national crisis.
Yet government, what Ponemon called a “slow moving animal,” has not looked at the special case of mobile devices. Smartphones and tablets must be secured differently than the desktop, he stressed.
“Some of the regulators are asleep at the switch.”
The Enterprise Factor
Mobile security is also a problem in part because it’s not just about technology being insecure, but the human interface, Ponemon said. “Humans make mistakes. They schedule, store photographs, upload videos, on an all-purpose device that people don’t see as a serious computing or storage device.” In reality, these devices are “fully fledged computers with a small footprint.”
So companies are at risk for two things: privacy breach and loss of corporate assets. They will continue to be at risk when one, they are not aware of how much regulated data exists on the network, and two, when they let employees access such data from unsecured mobile devices.
“Companies are still securing the network or perimeter, but not the actual devices,” Ponemon said. To add to the misery is the BYOD problem, he added, stressing that BYOD is not actually a “problem” in and of itself because from an employer standpoint, it’s great when employees take on the investment in hardware. But when embedded security on these devices is not prevalent, it’s definitely a problem, especially when employees resist such measures on personal devices and in some cases actually disable the security settings.
According to the WatchDox/Ponemon press release, “On average, organizations represented in the study experienced almost five mobile device-related data loss incidents in the past two years, resulting in the breach of an estimated 6,000 individual records.”
Most companies, if they are attacked, certainly won’t advertise it, due either to an understandable fear of competitive disadvantage or to prevent a loss of reputation. By confidentially sharing that information with others in the industry, however, a company can do a lot with a little advanced warning, Ponemon believes. Can the Improving Critical Infrastructure Cybersecurity executive order promote this method in the near future?
“The recent executive order is a step in the right direction, but only addresses sharing information between enterprises and government, and doesn’t really explain how to do it,” Ponemon replied.
Regardless of what may come, enterprises need to be proactive. Currently though, security solution providers tend to work extensively with companies that have already experienced a data breach and are looking to find out what went wrong. “It’s normally companies invest big dollars AFTER an incident. Before it happens, the attitude is ‘we are really not that interested.’”
This mindset is thankfully changing. Take cyber insurance, which has been around for 15 years. This form of insurance didn’t exactly take off on inception. Within the last three years, however, it has suddenly become a substantially growing market. Why? “More CEOs are realizing that a cyber-attack can kill their companies,” Ponemon concluded.