Reducing the Cyber Risk in 10 Critical Areas
oy4bzd2
oy4bzd2
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Summary<br />
What is <strong>the</strong> risk?<br />
How can <strong>the</strong> risk be managed?<br />
Summary<br />
Mobile work<strong>in</strong>g offers great bus<strong>in</strong>ess benefit but exposes <strong>the</strong> organisation to risks that will be<br />
challeng<strong>in</strong>g to manage. Mobile work<strong>in</strong>g extends <strong>the</strong> corporate security boundary to <strong>the</strong> user’s<br />
location. It is advisable for organisations to establish risk-based policies and procedures that cover all<br />
types of mobile devices and flexible work<strong>in</strong>g if <strong>the</strong>y are to effectively manage <strong>the</strong> risks. Organisations<br />
should also plan for an <strong>in</strong>crease <strong>in</strong> <strong>the</strong> number of security <strong>in</strong>cidents and have a strategy <strong>in</strong> place to<br />
manage <strong>the</strong> loss or compromise of personal and commercially sensitive <strong>in</strong>formation and any legal,<br />
regulatory or reputational impact that may result.<br />
What is <strong>the</strong> risk?<br />
Mobile work<strong>in</strong>g entails <strong>the</strong> transit and storage of <strong>in</strong>formation assets outside <strong>the</strong> secure corporate<br />
<strong>in</strong>frastructure, probably across <strong>the</strong> Internet to devices that may have limited security features. Mobile<br />
devices are used <strong>in</strong> public spaces where <strong>the</strong>re is <strong>the</strong> risk of oversight and <strong>the</strong>y are also highly<br />
vulnerable to <strong>the</strong>ft and loss.<br />
If <strong>the</strong> organisation does not follow good practice security pr<strong>in</strong>ciples and security policies <strong>the</strong> follow<strong>in</strong>g<br />
risks could be realised:<br />
Loss or <strong>the</strong>ft of <strong>the</strong> device Mobile devices are highly vulnerable to be<strong>in</strong>g lost or stolen<br />
because <strong>the</strong>y are attractive and valuable devices. They are often used <strong>in</strong> open view <strong>in</strong> locations<br />
that cannot offer <strong>the</strong> same level of physical security as <strong>the</strong> organisation’s own premises<br />
Be<strong>in</strong>g overlooked Some users will have to work <strong>in</strong> public open spaces where <strong>the</strong>y are<br />
vulnerable to be<strong>in</strong>g observed when work<strong>in</strong>g on <strong>the</strong>ir mobile device, potentially compromis<strong>in</strong>g<br />
personal or sensitive commercial <strong>in</strong>formation or <strong>the</strong>ir user credentials<br />
Loss of credentials If user credentials (such as username, password, token) are stored with a<br />
device used for remote work<strong>in</strong>g and it is lost or stolen, <strong>the</strong> attacker could potentially<br />
compromise <strong>the</strong> confidentiality, <strong>in</strong>tegrity and availability of <strong>the</strong> organisation’s Information and<br />
Communications Technologies (ICT)<br />
Tamper<strong>in</strong>g An attacker may attempt to subvert <strong>the</strong> security controls on <strong>the</strong> device through <strong>the</strong><br />
<strong>in</strong>sertion of malicious software or hardware if <strong>the</strong> device is left unattended. This may allow <strong>the</strong>m<br />
to monitor all user activity on <strong>the</strong> mobile device that could result <strong>in</strong> <strong>the</strong> compromise of <strong>the</strong><br />
confidentiality or <strong>in</strong>tegrity of <strong>the</strong> <strong>in</strong>formation<br />
Compromise of <strong>the</strong> secure configuration Without correct tra<strong>in</strong><strong>in</strong>g a user may accidentally or<br />
<strong>in</strong>tentionally remove or reconfigure a security enforc<strong>in</strong>g control on <strong>the</strong> mobile device and<br />
compromise <strong>the</strong> secure configuration. This could expose <strong>the</strong> device to a range of logical attacks<br />
that could result <strong>in</strong> <strong>the</strong> compromise or loss of any personal or sensitive commercial <strong>in</strong>formation<br />
<strong>the</strong> device is stor<strong>in</strong>g<br />
How can <strong>the</strong> risk be managed?<br />
Assess <strong>the</strong> risks and create a mobile work<strong>in</strong>g security policy