This past week it was reported that the identity of over 57million global Uber users were compromised by a massive data breach in 2016. According to Uber*, information such as names, email addresses, phone numbers, and the driver's license details of 600,000 drivers in the United States were implicated. While the company claims that the downloaded data has been destroyed and that there is no indication of its misuse, the effect has raised concern regarding security, compliance, and the risk of data breaches with government regulators, enterprises and end users.
What Uber’s Data Breach means for Mobility
With higher vulnerability and increased susceptibility to attack, mobility is relatively unprotected compared with enterprise network infrastructure and more so than the third-party cloud-based systems associated with Uber's data breach. Largely thanks to unsecured mobile devices that provide a backdoor for cyber threats into otherwise secure infrastructure - dramatically increasing a business’s vulnerability to attack.
The implication of this is that companies utilising mobile technology to increase productivity are significantly more susceptible to cyber-threats. IBM** discusses this in their 2017 “Cost of Data Breach Study", suggesting that mobility not only increases the complexity of IT security and a company’s ability to respond to data breaches, but it also prolongs data recovery, response time and raises the costs associated with a data breach.
These costs can be significant for businesses, with IBM approximating the cost per breach at $7.35million. This does not account for how a company's reputation might be damaged, or the possible compliance ramifications for senior management associated with failing to disclose a security event, a factor evident for Uber, who is facing multiple investigations by state governments after their failure to report the data breach. Businesses should realise that the best way to avoid the consequences of a cyber breach is to prepare for and prevent cyber threats.
Understanding the Threats
With significant consequences related to data breaches, and with mobility posing a more accessible threat than cloud and third-party infrastructure, companies can learn from Uber by focusing on minimising their risk exposures and readying responses to a potential breach.
When it comes to mobile security exposure, there are many risks that businesses need to consider, including:
- Single-Sign-On (SSO) to business applications, because once you’ve been authenticated – you’re in;
- Access to employee and customer data through cloud applications, including:
- Client systems such as Salesforce, Dynamics, Service Now or SAP;
- Cloud file storage services such as OneDrive, Dropbox or Box
- Note sharing applications like Evernote and One Note;
- Accessing company information through Public WiFi or Unsecured - Networks susceptible to Man-in-the-middle attacks;
- Phishing, Viruses, Malware, and Ransomware; and
- Juice Jacking where your device can be compromised at public battery recharge stations.
Minimising and Managing RiskThe sheer number of threats can catch businesses by surprise, which is why it is vital for companies to adopt threat reduction strategies that enable greater risk prevention. The security team at imei identify four layers associated with minimising risk:
- Firstly, the development and application of good company policies aimed at educating device users about the risk to corporate data, security exposures, and the appropriate response to take against cyber threats.
- Secondly, the use of Mobile Device Management (MDM) tools to mitigate the risk of data breaches by enforcing device compliance. MDM allows companies to implement passcodes, data encryption for iOS devices, device tracking, device locking, device wiping, authentication, and network access control.
- The use of Mobile Threat Management (MTM) tools to help improve security for businesses by detecting, analysing, and responding to threats on mobile devices. The result is that companies can mitigate their exposure, reducing the chance of encountering a threat and improving their readiness in the event of an attack.
- Lastly, Companies should also be investing in compliance policies to mitigate their risk further. For Uber, not informing regulatory bodies of the data breach has led to multiple legal investigations. Businesses can learn from this by ensuring that their data, security policies and strategies are compliant and relevant. From February 2018, according to The Notifiable Data Breaches Scheme***, all organisations covered by the Australian Privacy Act must inform individuals who are at risk of serious harm due to a data breach and the Office of the Australian Information Commissioner (OAIC).
imei: Enterprise Mobility
If you have any questions relating to your mobile security, we’d happy to help validate your direction, give an external view, explore better pathways, or just expand your knowledge. Get in touch with an imei consultant today.
* Uber Newsroom: The 2016 Data Security Incident
** IBM/Ponemon Institute: "2017 Cost of Data Breach Study"
*** The Office of the Australian Information Commissioner: Notifiable Data Breaches Scheme
CIO: Uber CEO Reveals Massive Data Breach
Stay Smart Online: Uber Data Breach