THE BLOG

'Tis The Season To Be Sorry

23/12/2016 11:43 GMT | Updated 23/12/2016 11:44 GMT

Christmas is the season of the data breach.

In 2013 it was Target, in 2014 it was Home Depot, in 2015 it was Vtech and now in 2016 it is the turn of Yahoo.

Yahoo's December 2016 announcement of the biggest data breach in history - 1 billion accounts compromised - is further evidence that hackers are out to cause maximum havoc at this time of year.

The retail industry is a favorite target. No retailer wants to be the one who's sorry for a data breach. Every year much time and effort is spent trying to lock down all communications.

Yet there is one channel that is especially challenging to control.

That channel is the dozens, if not hundreds, of cheap or free cloud services that employees have downloaded onto their mobile devices - known in tech circles as shadow IT.

According to Gartner one third of security breaches will come in through shadow IT services by 2020.

Also known as Bring Your Own App (BYOA), or Bring Your Own Cloud (BYOC), shadow IT is in direct conflict with enterprise data security.

As soon as they enter the workplace these apps cease to be personal.

Shadow IT presents a huge security liability to even the best designed systems.

On top of this is the threat at this time of year is that of unsecured mobile messaging by temporary staff hired for the busy holiday season.

The National Retail Federation expects retailers to hire between 640,000-690,000 seasonal workers - many of them in their teens - to help them deal with the extra demand.

The majority of them will be using consumer chat apps to keep in touch with people in their lives - friends, relations and colleagues.

A Radicati study has found that instant messaging in the enterprise is growing at a higher rate than its use for consumers.

At the same time many insider security incidents go unnoticed due to lack of monitoring and detection tools. According to Verizon's 2016 Data Breach Investigation Report (DBIR), human error accounted for about 66% of insider misuse cases.

Intentionally or unintentionally, employees use sensitive data in inappropriate ways.

For example too many employees, temporary or otherwise, think nothing of exchanging sensitive database information with colleagues via mobile messaging accounts, uploading the data to personal devices, sharing passwords and so on.

Seasonal workers are much less likely to care about the security of their messages or know about the dangers to their device from phishing campaigns or downloading apps from unofficial sites.

It is easy to imagine how they might bring malware into the workplace on an infected smartphone. It would only take one of them to have one of the many thousands of Android mobiles affected by the recent Gooligan attack for there to be trouble.

Alternatively, the mobile messaging app, Facebook Messenger, was recently the subject of a scam that could steal passwords and hijack accounts. Reports also linked it with spreading the Locky ransomware virus.

Just one or two group messages to colleagues in the office and it would be a short step for the ransomware to find its way onto a corporate database with extremely damaging consequences.

To ensure greater security NURO recommends retailers take greater steps to lock down group messaging by:

● Making sure every chat or group chat has its own secure, encrypted channel

● Providing secure, advanced encryption of data at device-level, in transit via HTTPS and in storage preferably in a central database owned by the enterprise

● Equipping IT operators with a centralized admin console for management of such issues as policy-setting or role-based permissions as well as integration with other enterprise systems, database activity monitoring and message push notification services

In summary, unsecured group messaging is emerging as a major threat to all enterprises.

But retailers are more at risk than most due to their reliance on large numbers of young, temporary workers at this time of year, many of whom bring their personal group chat apps into the workplace.

While shadow IT is a growing problem for employers they can take comfort that, at least with regard to group chat, with a few simple steps they can take back control and avoid the risk of CEOs having to say sorry in the New Year.