Airmic

Businesses vulnerable to cyber-attacks on personal devices

Employee's phones and tablets are a security weak point, according to Michael Hayton of Orion Security Services.

On 25 May 2018 the General Data Protection Regulation will come into force. Failure to protect clients' data will result in fines of up to 4% of global turnover or up to £20 million, whichever is greater. Unless organisations prove that they have shown due diligence and mitigated against hackers then the maximum fines will be imposed.

The financial implications of this legislation could be hugely significant. Cybercrime is likely to become an even greater concern for a company's board, and something that can no longer be delegated to the head of IT.

The cost of cyber fraud in the UK is an estimated £27 billion per year and the National Crime Agency recently issued a statement saying that police forces are struggling to cope.

Until recently, computers were the main focus of attack. However, they are no longer the easiest target as anti-virus software is pre-installed as a recognised necessity and companies spend substantial time and money on ensuring firewalls are effective.

The GDPR: What risk managers need to know:

Find out all you need to know about the GDPR and how to ensure your business is compliant by downloading a joint report by Airmic and BLM. Download The EU General Data Protection Regulations: What risk managers need to know here.

Today, mobile phones and tablets are the most vulnerable devices, with their "always on" nature making them the weak link. However, they are often the most ignored element of an organisation's cyber security defences. Espionage is the fastest growing cyber-crime in the world. Corporate secrets, business deals and sensitive data sent via smartphones and tablets are intercepted, copied, recorded, adapted or deleted daily by thieves.

It is this weak link that criminals exploit when undertaking Man in the Middle (MITM) attacks. MITM attacks are a form of eavesdropping where communication between two parties is intercepted without either knowing. The technology exists for this to happen easily, effectively and at low cost.

A mobile device constantly sends signals which ping back and forth to G.S.M (Global System for Mobile Communications) towers. Thousands of these towers are located across the UK. However, criminals can buy Russian or Chinese G.S.M Towers on the internet or through the Dark Web from as little as £100, and they can be as small as a briefcase.

Mobile devices are programmed to automatically tune to the nearest available tower. If a criminal is sitting in the foyer of your business – or even in a car parked outside the building, he can intercept all mobile communications (voice, data and text).

The danger doesn't stop at the office. Because people increasingly work from their mobile devices while on the move, corporate security can be breached at a wide range of locations. Research shows that airports, train and tube stations, coffee shops, hotels and hospitals have all suffered from infected wifi networks, leaving users vulnerable to data breaches.

MITM attacks are of course only one type of cybercrime, but one that can be overlooked by businesses understandably focusing on their core computer network. In preparing for the GDPR, businesses must have a thorough understanding of the new legislation and have robust cyber security plans in place that take into account all vulnerabilities.

Michael Hayton is a director of Orion Software and Security Services.