Significance of protecting enterprise security

It's a gloomy time in enterprise security right now. Hacks of customer data come with demoralizing regularity. Unisys fears that consumers are developing "data breach fatigue" [1] – that we are all inured by the onslaught – the spilling of our nominally private information by Target, Adobe, Michaels, eBay, etc., etc. has gotten to the point where we accept it as the cost of the digital age.

On the enterprise side, TechCrunch suggests that companies are slipping into "learned helplessness" – corporations are surrendering to the idea that "security is a complete debacle and will always be so".[2] If neither tech giants like eBay, nor cutting-edge newcomers like Snapchat can secure their customer data, then how can anyone else be expected to?

A major targeted attack like the one that befell Target obviously costs money: the scramble to fix security, obligations to customers and credit card payment processors, etc. Initial estimates suggest that the direct expense will be over $100M; fines associated with the event could be several times that if Target is found to have been out of compliance with security standards.[3]

An attack also exacts a high price to the brand – that intangible quality that makes the store a desirable place to shop. Between bricks-and-mortar and online shops, customers have more choice than ever, so retailers can't afford more obstacles: "This was the store that caused me to have to switch my credit card last month" is a powerful disincentive to shop somewhere.

Foremost in most minds are the companies with consumer data, but a parallel battle is going on between governments and strategically important industries. We've been aware of Chinese government hacking for some time; now we find that Iran is successfully doing much the same.[4]

Together, data breach fatigue and learned helplessness are the recipe for a defeatist complacency; it's the formula by which the hackers – be they criminal enterprises or foreign governments – ultimately win. And, even as corporations struggle just to hold the line in their primary enterprise network and PCs, a new front is opening in the fight: mobile devices.

Spurred by the economies and potential productivity improvement, companies are blessing bring-your-own-device (BYOD) policies for their workforces. Needless to say, malware developers are not far behind: more than 150,000 unique Android malware apps have been identified [5]. Because of the way they're used, they represent a new attack surface: a new segment of the enterprise security perimeter, and a ripe target for a hacker trying to set the first hooks of a targeted attack.

Potentially even worse than the malware are the phishing and man-in-the-middle opportunities that a mobile device provides. Users are often half-distracted – trying to reduce their inbox while waiting in line to order lunch – ready to blithely click on a link that's not from the coworker it appears to be from. Or maybe they're auto-connected to a café or airport Wi-Fi network that has been hijacked since they registered with it. Security can be attacked at every interface between human and machine, or machine and machine; it needs to be defended at every interface.

There has not yet been a significant targeted attack whose initial exploit was a mobile device, but it's only a matter of time. Wouldn't it be better to close the door while the horses are still in the barn?

References
[1] CNN Money
[2] TechCrunch
[3] Washington Post
[4] NY Times
[5] eWeek

About the author
Art Swift is CEO of CUPP Computing, which provides security solutions for mobile systems, such as tablets, smart phones, remote service devices and the Internet of Things (IoT). CUPP Computing is headquartered in Oslo Norway, and has operations in Netanya, Israel and Palo Alto, CA.