In this News Insight, WIRED Magazine discusses the need for increased mobile security in the aftermath of the WannaCry attack in 2017. If you’re looking to strengthen your security plan, download our definitive guide to reassessing mobile security practices. —Samsung Insights editorial team
If there was any upside to the giant WannaCry ransomware attack that hit more than 200,000 systems in 150 countries in May, it’s that it made businesses bolt upright and take a hard look at their cybersecurity—from central servers to their far-flung mobile devices and apps.
The more essential that anytime/anywhere access to your data is, the more critical security becomes. Nowhere is that more true than in highly regulated areas such as health care, financial services, and government work, which manage some of our most sensitive information.
WannaCry potentially put lives at risk by paralyzing computers at state-run medical facilities across the UK. Although the United States was generally spared from the full force of the attack, the US Department of Health and Human Services indicated that two “large multistate” health systems still face “significant” operational challenges because of the ransomware.
Tough laws are in place to protect sensitive data—the HIPAA (Health Insurance Portability and Accountability Act of 1996) statute guarantees the confidentiality of patient info, and violation fines can run up to $50,000 per attack—but hackers persist, recently lifting 4.5 million records from a major health care network based in Tennessee.
Nowhere Near Nimble
A key weakness in many of these heavily regulated industries is their unmodernized legacy systems. Congressman Will Hurd once famously informed a congressional oversight committee that “the Labor Department has a 30-year-old system developed by people who are now all dead.”
These old tech infrastructures are not only tough to maintain, they can be particularly vulnerable to cyberattacks. External attacks are one of the main ways hackers can gain a foothold, and far-flung networks create many points of vulnerability. In a recent survey, more than 90 percent of federal tech managers said they must modernize, with security being the driving force. And it’s an ongoing battle: “Security isn’t just adding one product at one point in time,” says Jonathan Wong, product marketing director at Samsung. “It’s not a quick fix. It’s ongoing and dynamic. It’s staying on your toes and being aware of what’s coming up.”
For many IT specialists operating clunky backend legacy systems, the biggest surprise of the WannaCry attack was not that it happened but why it hadn’t happened earlier. Mobile devices are increasingly used by employees to access vast chunks of data, including sensitive information related to their work. That data transition highway—from mobile app to server—is loaded with bandits itching to steal or tamper with confidential data while it’s in transit. Mobile health care apps, for instance, often involve collecting, storing, and transmitting highly personal and important patient data.
Only a few years ago, it was easy to safeguard data behind thick walls and with strong centralized protection. That job has been made infinitely more complex by mobile devices. Designed for consumer use, smartphones and tablets often provide lower standards of protection than PCs and laptops, making mobile endpoints prime targets for attackers.
To the Cloud and Beyond
Responding to operational and regulatory challenges is a daily battle. Many highly regulated organizations, for instance, are increasing their use of cloud services, not only to save money and gain efficiency but to improve their capabilities in security and compliance. Initially, government, health care, and finance industries hesitated to introduce the cloud as a form of IT innovation, believing—incorrectly— that it made them more vulnerable to attacks. Others are increasing their use of slim endpoint devices, which allow access to data without the ability to upload information and provide a security backdoor.
That’s just the beginning. Increasingly, mobile devices provide independent containers that can separate work and private data; applications do not commingle. If a device is lost or stolen, or if an employee leaves the organization, data can be remotely wiped from the device, including just the information held in the work container. For example, Samsung has built its security from the chip up on its Galaxy lineup. This level of protection lets both the user and the enterprise create a secure folder within the device, where applications, documents, and other assorted media can be placed and locked up. Some organizations now require that only devices with this type of security built in at both the hardware and software layers be allowed.
Because of the difficulties inherent in enforcing security on privately owned devices, some highly regulated industries are also eschewing the BYOD (bring your own device) trend, allowing only corporate-provided devices. Or they can require that only a certain class of devices be used. For instance, any device that doesn’t have the required security posture or has been rooted or jailbroken can be denied access.
The cat-and-mouse game of protecting sensitive data from thieves is a never-ending battle. But these days, the stakes have never been higher.
This content is produced by WIRED Brand Lab in collaboration with Samsung.
Download our comprehensive guide to reassessing your mobile security practices.