While moderating a CIO workshop recently, it was surprising to hear the assessments of attendees when it came to the question of secure messaging on mobile devices.
Industry figures estimate 43 per cent of companies globally had some kind of data breach in 2014, and we recently learned of a most spectacular hacking disaster at Sony Pictures, which reportedly cost the entertainment giant more than $100 million.
Yet, more than half the CIOs with whom I spoke didn’t feel it was important to ensure mobile devices -- whether smartphones or tablets -- were secure for messaging at all.
While 25 percent of participants thought that the ability to message securely on mobile devices was very important, a further 15 per cent thought it was only moderately important.
The rationale among these CIOs of why it was not a key consideration was that they felt people don’t communicate about important things via messaging: “Important information is sent via email.”
Yet, we know from our experience in the $50 billion world of enterprise messaging that businesses of all sizes are increasingly using mobile for communications that contain sensitive or confidential information such as intellectual property, classified legal documents, medical reports, investment intelligence, and other financial information.
Every industry and business is potentially vulnerable; healthcare giants to financial stalwarts have all seen expensive recent breaches, from US health insurer Anthem to investment firm Morgan Stanley.
Small and mid-size companies are no exception, as this 2012 incident – in which attackers held patient medical records in Queensland for ransom – shows.
The Miami Family Medical Center’s patient records had been forcibly encrypted by attackers, who demanded $4200 to decrypt the data. They took the encrypted drive offline and refused to pay the ransom demand.
A report by IBM, The 2014 Cost of Data Breach Study: Global Analysis, found the average cost of a security breach to a company was $3.5 million in US dollars.
This highlights the urgent need for companies to secure their mobile messaging ecosystem and the verifiable identity of mobile users against malware, hacking, and spoofing frauds as these devices become increasingly attractive targets for hackers.
The security weaknesses of mobile devices – from non-password-protected phones to unencrypted Wi-Fi transmissions -- are magnified further as employers opt for the cost-saving BYOD (bring your own device) approach for daily use in an enterprise environment.
To begin eliminating this gap in enterprise information security, CIOs must focus on securing their entire messaging ecosystems.
Requiring BYOD users to use anti-virus programs is a good start and a best practice, but it won’t stop a hacker who is trying to crack into app software code or the device's software code; it just slows down hackers who attempt to trick you into falling for phishing scams and then install malware on your device to help them do their dirty work.
Since we’ve also seen evidence in the form of those very phishing scams that a mobile user's identity may be spoofed by an unknown source (disguised as a user known to the receiver), no amount of securing the communications channel alone would be of any benefit.
To thwart these spoofing attempts, we must verify and come as near as possible to guaranteeing the identity of the endpoint user.
CIOs must also weigh the productivity and cost trade-offs required to achieve maximum mobile device security. For example, secure mobile device management, or MDM, solutions are costly to roll out and maintain, and may not have the right app ecosystem to enable an entire enterprise’s workflows and use cases.
Instead, CIOs should inspect their company’s internal and external business workflows, processes, and use cases to understand whether a secured ecosystem or secured mobile solution would better meet their needs.
For example, a secure mobile messaging solution may offer significant cost advantages over MDM, especially if it enables most or all of the desired business workflows.
Applications that offer encrypted mobile messaging, including anti-spoofing protection to confirm identity, can deliver the necessary productivity gains while securing a large majority of activities conducted by a mobile workforce.
This protection of users’ communications is far more valuable and cost-effective than a less-productive mobile environment that is 100 per cent secure.
Horden Wiltshire is CEO of Soprano Design, which provides secure mobile messaging technology to mobile network operators.