 | Issue: | Global-ICT 2015 |
| Article no.: | 21 | |
| Topic: | Mobile – privacy or security, a balance we must get right | |
| Author: | Phil King | |
| Title: | Chairman & CEO | |
| Organisation: | myPINpad | |
| PDF size: | 222KB |
About author
Phil King, Executive Chairman & CEO, myPINpad
Philip has been a senior executive in a diverse range of businesses for over 30 years and is a founding partner in Asia Principal Capital, an investment banking firm based in Singapore and Sydney, offering strategic, M&A, funding and other services. He has substantive payments industry and technology management experience and has held technology and management consulting roles in some of the world’s leading financial services institutions in the UK, Europe, Australia and South Africa. From 2002 through 2008 he was COO and then CEO of eNett International, now one of the largest global travel payments services providers.
From 2010 through 2014 he advised and then led Cocoon Data Holdings and Covata, now an Australian listed data security company, as CEO and Chairman. Philip has extensive company director experience and as Executive Chairman leads and drives the myPINpad management team. Philip has been a private equity investor for more than 20 years; his commitment to myPINpad represents the confidence he has in the solution and world class team being built.
Article abstract
Regardless of the context, data, in all its forms, is the crown jewels of any organisation. The mobile device, combined with the demand for more and more ‘big data’, now represents the single biggest threat to data security since the invention of the computer.
Full Article
In 1905, George Santayana coined his now famous – and oft plagiarised – saying: “Those who cannot remember the past are condemned to repeat it”. In no industry is this truer than in computing, where we are now plunging headfirst into at least our 3rd critical ‘oversight’ in just 25 years:
Oversight #1: Neither security nor privacy were primary considerations when everyone moved online – It can be argued that the Information Age really came into its own in the early 1990s when the World Wide Web became available to the masses. From that point forward, the world has been in a rush to digitise everything it could lay its hands on, ending forever the ability to enforce almost any accepted precedent, or even good security practice, related to privacy effectively.
Yes, we all have the RIGHT to privacy – the Universal Declaration of Human Rights, Article 12 for example, specifically states that: “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.” Yet we are ‘spending’ our privacy like a currency to ‘buy’ the conveniences and entertainments we crave.
So, can we truly maintain that we still have the right to privacy when, by choice, almost every aspect of our lives is catalogued in extraordinary detail on LinkedIn, Twitter, Facebook, Instagram and whatever social medium comes next?
Oversight #2: Functionality/competitive advantage more important than security – The Internet boom led to the explosion of PC sales, where bloated operating systems designed principally to provide greater function, and applications written with scant regard to security, have exposed data on an unprecedented scale to a vast number of vulnerabilities. Billions has been spent on Anti-Virus alone, and billions more will be spent on cleaning up the remaining mess.
The Internet of Things (IoT) will take this phenomenon to a level we can barely even conceive of at this stage, yet we will likely have the same expectation of built-in security, as well as shifted responsibility and liability, even when lives will, quite literally, be on the line. For example, in Slate’s article Who Does the Autopsy? there are “more than 300 [Implantable Medical Devices (IMDs)] devices from 40 different vendors [that] had vulnerabilities that could readily be exploited by those with ill intentions.”
Oversight #3: Unlimited access via unsecured mobile devices to limitless amounts of data – There are now more mobile phones in circulation than there are people on the planet, and according to an article in ComputerWeekly.com, the power of each one of those devices is greater than the computers that put man on the moon. Everything from banking, to shopping, to an increasingly significant chunk of social interactivity is conducted with a device that is a personal computer in all but name.
The distribution is also unprecedented, with no other electronic device approaching its ubiquity. In some fashion, all of these devices have access to a trove of information that is increasing almost exponentially. For example, it is estimated that every two days we create as much information as existed from the beginning of time until 2003, yet we make even less effort to protect these devices than we do our laptops.
Despite the negative ramifications of each of the above, no-one can deny the world changing benefits of the Internet, home PCs, and the mobile phone, particularly the smartphone. From the enormous expansion of cross-border business, to the sharing of medical and agricultural research, to the blurring of national/racial/political barriers, the ready availability of information on any device has the power to change everything for the good. Or bad.
But, information only comes from data in context, and information in context is knowledge, so inherently, data itself is neither good nor bad. If one accepts the saying “Guns don’t kill people, people kill people”, the same can be said for data. It’s not the data that’s the problem, it’s the use of it, and while you’re very unlikely to lose your life if you’re hacked (Internet of Things aside), both your privacy and identity can suffer significant, even permanent harm.
Regardless of the context, data, in all its forms, is the crown jewels of any organisation. The mobile device, combined with the demand for more and more ‘big data’, now represents the single biggest threat to data security since the invention of the computer.
The consequence of the first two oversights, characterised by the headlong rush into the World Wide Web, is that countless systems and data stores were left exposed, and with ’Oversight 3’ we are now doing the same thing on a scale inconceivable in the 1990s. It has been estimated that by 2020 there will be 44 Zettabytes (1021 bytes) of information stored, and there will be around 6 billion smartphones in use globally. All the security controls in the world around the data stores are irrelevant if the access control mechanisms on the smartphone aren’t in place. Unless we build in security from the beginning, there will be no fixing it later.
Before we can address these challenges, we must accept that there are a few things in information security that have not, and will, likely, never change:
1. Operational functionality will generally be viewed as more important than data security to businesses intent on growth, because competitive advantages have an ever-decreasing lifespan.
2. Thieves are clever, motivated, and increasingly organised, meaning vulnerabilities will be exploited more efficiently and thoroughly than previously seen.
3. There is no such thing as 100% security, and there are no silver bullet solutions.
But whilst thieves are clever, they are also lazy and looking for maximum profit for minimal effort. And although good security is relatively difficult to achieve, it has always been, and will always be simple in principle; it’s a balance of confidentiality, integrity, and availability, effected through an appropriate use of security controls.
The basic security controls have been around for decades, and regardless of device medium (i.e. PC or smartphone) the blocks are the same: firewalls, operating system hardening, encryption, access control and authentication, patching, logging and monitoring, incident response and so on. For the smartphone, whilst these controls must be virtually invisible to the average consumer, it may be assumed that collaboration between the device manufacturers, mobile network operators (MNOs), and application vendors (whose wares are only available from trusted locations) is more easily achieved than with home PCs.
Above all, security is equal parts process and culture, the absence of either destroys the whole. As it’s the CEO of any organisation who sets the tone for the entire company: its vision, its values, its direction, and its priorities, it’s the CEO’s attitude towards security that is key to this whole process.
In theory, a concerted effort by industry players – in whatever industry sector is most at risk at the time – should yield sufficient mitigation techniques to prompt the thieves to move on to the next target. Just build your fence higher than your neighbours and you will not be that target (the migration of fraud to card-not-present following the introduction of EMV for example). To organised crime, theft is a business decision, not personal, and the need for a decent rate of return is no different than for any other business venture.
However, the combination of the 3 aspects of security highlighted above tip the balance significantly in the bad guy’s favour.
Many businesses are in such a rush to introduce new services or technology to gain even a brief market advantage, that they cannot perform anywhere near enough security testing and due diligence in such a short window of time. This, and a lack of the most basic of security processes, the risk assessment (exacerbated in many instances by C-level indifference), will invariably result in the introduction of new and readily exploitable vulnerabilities.
Big data analytics, the Internet of Things, mobile are all rightfully experiencing unprecedented global growth, adoption and convergence, but their associated capabilities are a virtual playground for those intent on harm. Perceived market pressures prevent many organisations from building in appropriate security from the ground up, from where it is infinitely easier and cheaper to do so.
For mobile at least, in its enormous flexibility and function perhaps lies its own salvation. The very things that make it seem insecure, could be the things that, with industry collaboration, make it even more secure than most PCs.
