The threat is invisible but incessant, as the recent large-scale attack on British bank HSBC shows. In information technology, we live in a time of fantastic new breakthroughs, but it is also a time of cold sweats for businesses. Their fears are well founded.
During a recent Paris workshop on "Security: Info Systems and the Challenge of Mobility," a young research engineer calmly took control over another person’s iPad from his own laptop via Wi-Fi. To make his demonstration more spectacular, he even made the microphone work remotely. To the mesmerized audience, it looked like a spy movie.
"Getting into an iPad is simple," he said, even though Apple's iPad has the reputation of being extremely safe from attack.
The next day, his deed was no longer possible: Apple had updated its operating system to version 6. "But for how long?" wondered one technician, maliciously. Audience members were imagining how many "experts" were already tracking down the flaws in the new system. "The pirates go faster than we do," admits Yves Le Floch, director of development at Sogeti Security Global Line.
This demonstration was part of a wider effort to educate computer users about risks, on the part of the French government data privacy authority, the Commission Nationale de l’Informatique et des Libertés (CNIL). The anecdote illustrates that many businesses are blundering in the dark when it comes to the unprecedented new challenges they face with mobile devices like smartphones and other tablets, the "BYOD" (Bring Your Own Device) trend, and cloud computing.
These sectors are considered major information technology markets, but they also create so many new problems that during the French Assises de la sécurité et des systèmes d'information, an annual meeting for Internet security specialists held at the beginning of October, there were many workshops on mobile device security. In 2013, security costs will represent 14 % of the cost of operating information technology. Worldwide, more than $60 billion are being spent on computer security, according to Symantec. The cost of cybercrime is $400 billion a year.
The combination of mobility, BYOD, and cloud computing is explosive. In the digital ecosystem, the boundaries between a company and its clients, partners, suppliers, and co-workers are becoming blurrier, explains French security association CLUSIF (Club de la sécurité de l'information français). At the same time, more and more information is being produced, and systems everywhere are becoming interconnected. According to CLUSIF, 81 % of French companies believe the consequences of their information systems going down, even for less than 24 hours, would be dire, and 71 % of small firms that have suffered a cyber-attack never recover from it.
A new environment
It's like a tsunami. Mobility is at the core of the issue regarding information distribution systems, experts note. The market for tablets and smartphones, which are used to access half of all pages seen on the Internet, has soared.
"It's impossible not to use them at work now," says an IT manager. BYOD is steamrolled by three powerful driving forces, which are sociological, economic, and technological, says Edouard Jeanson, technical manager at Sogeti.
The sociological aspect is that it has altered people's ways of working. In 2013, 37 % of small and medium-sized firms will employ people who work remotely either part-time or full-time, says Symantec. The economic aspect is that employees buy their own devices, which is good for businesses' bottom line and productivity. Half of all businesses in France now allow their employees to connect to their information system, according to CLUSIF. The technological aspect is that smartphones are limitless, with cloud computing and fast processing speeds.
Everyone uses cloud computing daily, often without realizing it, for email, online gaming, instant messaging, and social networking, but also for things like online tax forms, credit card payments, and photo-sharing websites. This has been a revolution, according to specialists. Today, ‘mobility’ is synonymous with ‘cloud.’ "The use of cloud applications by tablets is massive," says Hervé Doreau, security practice manager at Symantec.
The growth in cloud computing is estimated at 15 to 20 % a year, and total cloud business turnover in Europe was 6 to 7 billion euros this year. This is certainly just the beginning.
"Our job is to be paranoid," says a security manager. Infected emails and software, viral attacks, data theft, hijacking of payment systems, fraudulent identities, illegitimate certificates, remote takeovers of networks, access to industrial control systems, etc... The list of the types of attack on personal or professional information systems is long.
Attackers might be cybercriminals working for profit, activists fighting for their ideology, or hackers, whose motivation is often the sheer challenge of the hack. The targets have changed over time. Before, most attacks were on the infrastructure, which hackers infected with viruses or worms. Now, theft of information or of digital identities is more common, because the data itself has value.
Today the danger concerns mobile service users who download malicious apps. "Our biggest worry for the past two years is BYOD. The risk is information leaks, because professional and personal data are not usually segregated," says Leclerc. The cloud is not much better. "Where is my information?" the naive client asks. The question comes up repeatedly. There is a lack of control when you have given your data to a third party. Shared in the cloud, data can fall victim to leaks from or to other customers. The information can also be requisitioned by foreign authorities.
Also, even if the data is encoded to start with, the provider or its sub-contractor may treat it as plain text in the cloud. The data may not be available 24/7 if there is a technical problem.
How secure is the cloud hosting service? Has it invested as much in security as clients wish? (On this point, total honesty is rarely the rule.) How do you get your data back if you want to change providers?
Pirates, meanwhile, no longer need to break into a business's network. Now all they need is to find an account ID online. For instance, if they manage to make their way into the management system of a cloud, they have direct access to huge numbers of passwords and credit card numbers. Last year, Sony learned this the hard way when 24 million customer accounts were compromised.
Caution is required, but businesses are not all equal in dealing with security problems. The biggest firms can negotiate each aspect of their contract with the hosting service, but small businesses have to deal with standard contracts whose details they can’t change, says the CNIL. Does that mean that they should leave the cloud? That would mean leaving the Internet.
Companies have evolved in order to deal with these risks. People speak now of "digital hygiene," and according to surveys, 100 % of businesses now have a full-time security team; only 43 % had one in 2010. "More and more company heads are going to have to take responsibility for this issue," Sogeti notes. Much remains to be done. "We’ve reached the hard part now. We have to re-examine security in a systematic way," says Le Floch. Although security policy is making progress, it is too often implemented haphazardly, after an incident or a new regulation.
More surprisingly, the purely technical aspects of security are no longer the most important factor. "Too many businesses thought they were protected just because they installed technical devices, which ended up being bypassed all together," explains Sogeti. The key to security is elsewhere. "25 % of security is technical, 50 % is internal organization, and 25 % is regulatory and legal," says Jeanson. "It's like a three-legged stool, you need all three."
Businesses, then, need to make their employees aware of computer security and train them on the subject; employees are ‘vulnerable points.’ Firms need to set clearly defined IT security rules. Security managers need to be in close contact with general management. A company must also remember to keep its existing security procedures up to date.