As the gap between desktop and mobile becomes smaller and smaller, businesses are encouraging the use of mobile apps and a BYOD environment. But with this power of creativity and productivity comes responsibility to security, and that’s something many CISOs are worried about.
One of these threats to enterprise security is data jacking. It’s the misuse or theft of data on a mobile from its primary owner. Examples of data jacking include ransomware, mobile malware, and theft of mobile devices that have sensitive, unencrypted information such as medical data or financial records. In fact, 24 percent of data breaches reported to the Office of Civil Rights in 2016 involved the loss or theft of an unencrypted device such as a USB drive, laptop or cellphone. Data encryption technology on those devices could have prevented the exposure of 1.5 million records last year due to data jacking.
Data jacking also extends to the network at large. Reports surfaced from Kaspersky Lab and others in December 2016 of criminals exploiting open installations of MongoDB and Hadoop databases and holding the information hostage. In that case, attackers simply scanned the internet for the open installations, copied and deleted the contents, and left behind a ransom note for the victim. In some instances, the data was permanently destroyed beforehand—meaning the company never got it back despite paying the ransom. These types of attacks increased 400 percent over a matter of weeks since they were first discovered.
As BYOD, mobile platforms and cloud computing continue to grow, CISOs are understandably worried. According to a 2014 Gartner report, more than 75 percent of mobile applications would fail basic security tests. Between the security vulnerabilities and employee carelessness, what can you do to protect yourself?
Four steps to take to prevent data jacking
- Put strong security measures in place when using third-party or open source software. It is worth noting that the default installation of MongoDB does not require authentication to access the database—a real security risk.
- Test your systems more than once a year. Is everything working properly? Are there any security holes that might have popped up? Testing doesn’t just provide benefits to your disaster recovery system, it’s good for your production as well.
- Limit app permissions. Do you really need your health app to access your contacts? The more data you give an app permission to see, the more you put yourself at risk should it be compromised.
- Ensure secure, encrypted phone messaging. Employees don’t regularly worry if their communications are secure. If you automatically enable encrypted messaging on work devices, you won’t have to worry about it, either.
Ransomware and Ransomware-as-a-Service have paved the way for data jacking in general, so it’s sure to become more common as hackers seek to make easy profits with little work involved. In a growing cloud adoption world, it’s more important than ever to make sure your network is as secure as possible and protect your data. If you’re interested in learning more about a secure cloud infrastructure or a defense-in-depth strategy, visit our cloud page or contact us today.