What does ‘safe’ even mean online?
How to really embrace safety online this ‘Safer Internet Day’
The 11th of February marks Safer Internet Day, and every year the date raises some interesting questions: ‘What are the threats I need to be safe from?’; ‘What does ‘safe’ even mean?’; and ‘How can I stay safe online?’.
At the core of every successful cyber-attack is a human weakness. Technology is enabling new ways of working and empowering an increasingly remote and mobile workforce. However, with this added freedom comes complexity, in the form of restrictions on usage, blocked applications and complicated access rights. The thing to remember here is that ‘users’ are just people, and above all else people are resourceful – users will always find a way to make something easier or quicker.
Where this affects online safety most is when a user employs shortcuts or poor practices on devices that function for both work and personal use. Often times, the most successful phishing attacks are not the ones targeting the email inbox directly, but which come through other areas on an individual’s personal phone which they access regularly as part of a daily ritual. Once the phone is compromised an attacker can access everything the phone is connected to.
So for Safer Internet Day 2020, here are some core concepts that organisations and users alike should be aware of when it comes to remaining safe online.
‘Being safe online’ starts with awareness. One of the most prudent things to be aware of would be the various surfaces you can be attacked on.
The reality is the phone is an ‘always on’ device. If you hack a laptop, you have access until the person closes the lid. But if you hack a phone, you have access to work and personal information until such time as the device is disconnected – on the rare occasion when the device is turned off, perhaps when boarding a flight. It’s not the device that hackers are after – it’s the connection the device has to data that is so valuable.
The early part of the smartphone era was relatively quiet in terms of cyberattacks. Back then, traditional desktop/laptop and server environments were far more attractive targets due to the sheer numbers of them deployed worldwide. But now phones have not only caught up, but pushed well ahead of desktops in their deployment in many office environments. Whether it’s a computer on your desk or a phone in your pocket, your devices retain a lot of data. All of that information can be quickly accessed by cyber-criminals who know what they’re doing.
Why are smartphones such an attractive target for hackers now? In a recent survey conducted by Lookout at RSA, three-quarters of respondents admitted to accessing corporate data from personal mobile devices and/or public WiFi networks. The devices themselves contain a gold-mine of data and for reasons we’ll move on to, are easier to penetrate.
The mobile device is becoming more used than the desktop PC but is potentially less secure in most organisations.
Trust and how attacks happen
The next concept a savvy, safety-conscious user should be aware of is the idea of ‘trust’.
Users tend to trust their phones and are therefore quicker to respond to mobile alerts, meaning that they are significantly more likely to trust pop-ups that prompt them to install malicious apps and malware or simply to log-in to an app again. For example, utility-based apps such as alarm clocks, camera add-ons, and flashlights come with notorious privacy risks, yet many users quickly tap to give away their identity and contact lists without significant thought. At the core of most attacks is a perception gap. People simply assume the phone is safe. Often times on a corporate device, the only protection is a screen cover.
The 2019 Mobile Security Index states cybersecurity, and mobile device security in particular, cannot wait for regulation to speed up processes like GDPR did. Companies are leaving mobile devices exposed to a degree they’d never tolerate elsewhere.
The most successful methods cybercriminals use rely on this underlying trust – taking advantage of the smaller screen to make fake sites look legitimate, create phishing sites and rolling out WiFi attacks. In 2019, Microsoft commissioned a security survey on the Irish market and found that 44% of respondents have experienced problems with cyberattacks in the past year, and 46% have had no cybersecurity training during the same time.
Another thing people trust is the idea that they will spot something out of the ordinary on a compromised device. The reality is that the screen won’t flash ‘attack’, the display won’t turn black and green and there will be no pirate flag raised in your icon bar. You likely won’t notice anything, and that’s the point of a modern attack. It is in the interest of fraudulent apps and hackers to sit quietly in the background and leak information out over time – it’s a spy-game, not a burglary.
Safety is everyone’s job
With so many risks, should businesses consider prohibiting the use of mobile IT in order to prevent smartphone attacks? The answer is no.
Today, users can circumvent IT restrictions they deem unreasonable by using free online email and file storage platforms. Shadow IT is the cost of excessive restrictions implemented by IT departments. By attempting to shut things down, they might inadvertently make things worse. Shadow IT is often just a hard worker trying to get the job done, they don’t realise what they’re doing poses a genuine risk and just see a blocked site/app as a ‘silly rule’.
The best time to secure corporate devices is the day they were purchased. The second-best time is right now. Installing MDM (mobile device management) and MTD (mobile threat defence) solutions is a fantastic quick-win, and a great first step. But without some internal education as to why policies like authentication, strong passwords and a ban on password recycling are in place, people will inevitably find a way around them.
Mobile is an incredibly fast-moving area with huge technology innovations occurring regularly. This requires IT support models to shift to a more agile approach that utilise specialist skills. Businesses should consider regular training and a dedicated team, or alternatively outsource this function to a specialist.
The reason that people skip over rules like approved apps or password policies is very rarely malicious; it’s because it’s easier. On Safer Internet Day, businesses should reflect on their attitude to cybersecurity and aim to move to a position whereby the path of least resistance is also the most secure one.