At the BlackBerry Security Summit held this week in New York City, Forrester Research analyst Tyler Shields conducted a Q&A with three security luminaries to shed light on what’s happening in mobile security as relates to regulated industries such as energy, healthcare and finance.
In a word, it’s complicated.
There are many real mobile security threats that an organization has to be wary of – and there are no easy answers.
Multiple Platforms Creates Attack Vectors
Mark Lobel, a security and privacy expert for PricewaterhouseCoopers, has certainly seen an uptick in attacks on the devices workers carry. That’s compounded in financial services, as those firms must monitor the communications of brokers and customers across multiple platforms.
“How do you do that in a world where everybody wants to do everything on their mobile devices?” he mused. “That’s the challenge, and that’s what companies have to address. We’re seeing the trends to the attacks increasing, and we’re seeing those attacks coming across all platforms with mobile as one of the new attack vectors.”
The Lure of Personal Health Information
Nantworks CIO and Nantcloud CEO David Jemmett, an expert on healthcare security and privacy, sees Personal Health Information, or PHI, as a huge lure for hackers and identity thieves.
“In healthcare, PHI is one of the top things people are going after from a hacking or phishing standpoint, because you can fill out a credit information form and get some great information to obtain credit cards. With your healthcare information, you get more than anything else,” he said. “That’s what we’re trying to protect. We’ve chosen BlackBerry for that specific reason, because of the security aspects it has with the device.”
As everything moves to devices, the attacks on healthcare field have ballooned, Jemmet said.
Mark Weatherford of the Chertoff Group is the former Deputy Undersecretary of the Department of Homeland and Security, and also the former Chief Security Officer (CSO) for the North American Electric Reliability Corporation and the states of California and Colorado.
It’s the physical threat that’s the biggest problem, Weatherford said, even while it doesn’t get as much attention as the other areas.
“I would sooner share my toothbrush with you than let you plug your phone into my laptop,” he said.
He sees a number of threats migrating over from the PC world into the mobile sphere.
‘The Sins and the Sinners’
“In just the last couple of years – certainly in some specific devices – the threats against them have really exploded,” he said. “It really is a challenge for mobile companies now for certain platforms to address these kinds of things because the ubiquity of the devices is really profound. We have what General Mike Hayden calls ‘the Sins and the Sinners:’ the things like espionage, criminal activity, hacktivism and terrorism are the sins, and the sinners all go along with that.”
The government has to respond in a different way than a conventional enterprise, even a regulated finance or healthcare firm, would react, he said.
“Certainly, the government has to react a bit differently – there are different responsibilities the government has for protecting the information of the citizens and with the different government agencies,” Weatherford said.
Predicting the Future: ‘Get Out of the Way – the Train’s Coming’
“There’s a tradeoff between user experience and security,” Shields said, asking: “What does the future look like for mobile security and what are the driving factors that would cause it to be more successful?”
Having a ubiquitous platform where employees can just focus on their jobs is a key goal, Jarrett said. “That’s when we can really focus on the security aspects.”
In financial services “it’s going to be risk management, because there has to be infrastructure that covers every type of data and protects the customer as well,” Lobel said. “How do you do fingerprinting on the device and know that the people on the other side of the transactions are who they say they are? That’s going to be a huge challenge, and the rollout of better security tools and infrastructure is going to be pushed by the regulators and those institutions.”
For Weatherford, the threat of major hits to the national infrastructure via mobile attacks is a huge area of concern for the government.
“I would not be surprised to see further regulation around some of these infrastructures. Certainly, healthcare is facing that now,” he said. “In the energy sector, many of the facilities are very distributed in remote locations. For mobile applications, it’s like, ‘Get out of the way – the train’s coming.’”