Author: Giancarlo Butti
Giancarlo Butti, MBA in Business management and organization development by the Polytechnic University of Milan, is a passionate of ITC, of their organization and rules to be implemented, as many topics he deals with since the beginning of the 80’s. He held several positions within major banking institutions (security manager, project manager and auditor) before becoming a security and confidentiality senior consultant for a huge number of companies of different sizes active in diverse sectors. Besides his professional activities, he likes to share his knowledge through articles, books, white papers, technical manuals, lessons, seminars or speeches in congresses. He is a regular teacher on topics covering confidentiality, audit and ITC conformity within ABI (Italian Banking Institute) Training, but also within CETIF, ITER, INFORMA BANCA, CONVENIA, CLUSIT, IKN, and at the State University of Milan. Author of more than 700 articles, regular collaborator of more than 10 online media and 20 traditional ones, he published 21 books / white papers, some of them used as university manuals; he also participated to the redaction of nine collective volumes published by request of ABI LAB, Oracle Community for Security, CLUSIT…
He is a member and coopted expert of the AIEA, member of the CLUSIT and of the BCI. He takes part to the working groups within the ABI LAB on Business Continuity, Digital risks and GDPR, while also active within the working groups of ISACA-AIEA dedicated to Privacy EU and 263, of Oracle Community on security and fraud, eidas, transactions security, SOCs, and of UNINFO on professional profiles confidentiality, of ASSOGESTIONI on GDPR… He’s a member of the ABI Training Faculty, of the Roster of Experts for Innovation within OMAT360 and is among the coordinators of www.europrivacy.info. He hold the LA BS7799, LA ISO/ IEC27001, CRISC, ISM, DPO, CBCI, AMCBI certificates.
For security, the use of mobile systems can come with important risks, which, very often, are not seen as such by companies. Yet knowing of these risks is an absolute must in order to be able to implement the adapted preventive measures to limit, as far as possible, eventual damages.
When thinking about the intrinsic risk of the use of a mobile device such as a smartphone, one has the natural tendency to think of the possible interception of the communications between the two actors of a conversation. In reality, the complexity of these devices and the richness of the functionalities they propose to their owner render them particularly insidious, where we now have to evaluate the authorization of their use by employees and visitors within a company, above all in the areas where activities requiring an adequate level of protection and/ or confidentiality do take place.
A precaution which is in total contrast with the way we live daily, where such devices, may be the company’s property or owned by private individuals, are almost everywhere, and used in the most important moments of a business’ life, such as talks focused on strategic decisions or executive board meetings.
Each mobile device is now equipped by many instruments enabling them to record all the area in the proximity of the device itself:
- Video cameras (often two), thanks to which one can take video records with sound, or to take pictures – including HD ones – of places, people, documents or screens displaying interesting content.
- Microphones, thanks to which one can take audio records without being noticed by the surrounding persons.
The control of an area with a mobile device can happen simply when the phone is left on a desk (a situation considered as absolutely normal) or during an audio record made in the area or even during the activation of the
device by a call leading to a remote tool which will register the record.
The activation of the record can be made by the owner of the device but, on this topic, we also have to take into consideration the possibility that the area surveillance through the mobile device in question has been activated by a third part, via a spyware, without any knowledge of it by the legitimate owner of the device.
The use of IT “captors”, which are in realty apps or software installed unbeknown to the user can activate the microphone to record conversations or, in make a surveillance of the area of the user. Such software, sometimes, allows complete control of the device, hence access also to emails, agendas and any other document or file existing in the device itself.
Recently, the Italian Penal Code as well as the law in other EU member states, has been modified to allow Law enforcement agencies to use these kind of tools even if, in this case, the limits of such use and the perimeter of control are clearly limited.
As a consequence, the good faith or the reliability of the collaborators – at all levels – as well as of visitors, clients or contractors accessing the company are no longer relevant. When important or confidential topics are discussed, the best precaution would be to forbid any single mobile device nearby, to avoid any information leak.
A smartphone can be used as an external hard disk. It is enough to connect it, through a cable or via WIFI, to a PC or to another device to extract a huge quantity of data, which will pass in this way from the company’s network to the private device.
Such a transfer can be observed in real time if the company set up traceability systems or can even be forbidden, if USB ports are sealed and the users do not have privileged accesses allowing them to activate WIFI connections on their professional PC. Nevertheless, the transfer and the exfiltration of data can also take place through other systems which are not traceable and cannot be confined, like a videoconference record via the smartphone video camera. Even if such a practice is not easy to enact, it is possible to do and, when we speak about vital information whose exfiltration is of highest importance for a third part, the costs of acquisition of skills and techniques of extraction and eventually also of decryption are perfectly justified.
It is useless to recall here that everything recorded on a device, may it be on a legal or illegal way, is also the object of all the risks coming from a possible loss or theft of the device or from a poorly monitored management of the WIFI and USB connections as well as of the device itself. Of course, it is obvious that in the case of an illegal information exfiltration, the criminal using the device has certainly taken all the necessary precautions to avoid such a risk.
WI-FI routers devices and similar
Another possible use of the device is to become a WIFI router, through which one can connect all the poorly protected devices of the company, simply using the internet network.
If the company’s devices are, at the same time, connected to the intranet, one can create a breach inside the security perimeter, in other words the new connection will not be stopped by the firewall and other tools of protection against external threats. For this reason, and also in order to avoid any exfiltration of documents through WIFI connections, companies should disable even the possibility itself to create new connections to its own devices.
BYOD (Bring your own device)
Even if an ever-growing number of companies allow use personal devices for professional aims, it does not mean it is safe: it comes with several risks, sometimes very important, threatening the company itself. The security problems of the device can have a knock-on effect on the confidentiality of the company’s information and this, despite even if well-articulated and complex rules and norms are implemented on the precise conditions of use of such practices.
Even the simple possibility to access the professional mails from the mobile device, avoiding a risky direct access to the network, is an all but safe practice. Accessing the emails implies, to be able to download attachments as well as the emails themselves, constituting as many pieces which become hosted inside the mobile device, where the security level can in no way be defended in an appropriate mode by the company.
Moreover, objective difficulties could exist, for the company, to make controls on the employee’s device. In this sense, the companies should acquire tools able to recognize any device attempting to connect to their server remotely, identifying it as a company’s one or a private one and, in the second case, forbidding the connection.
Time occupation within the company
It may seem banal to recall here that the availability of a mobile device, whose multiple communication channels are activated (vocal, sms, mms, whatsapp…), means that during work hours, a part of the employees’ time is devoted to relations within their own personal network. This fact is not necessarily a negative connotation as balancing work and private life is increasingly the focus of the companies as well as of the lawmakers, and recently established and highlighted by the new Italian normative on the topic of agility at work.
It is hence opportune not to build the company’s policies around a concept of access impeachment, which would be in a contrast with the reality. What companies must do, is to establish clear rules on the use of mobile devices wherever effective risks on its own security exist.