Regulatory Action

GDPR fines – mobile losses could be next for Finance Sector

By Dr. Andy Lilly, CTO and Co-founder of Armour Comms

It’s now almost two years since the GDPR regulations came into force, and the ICO has started imposing fines for infringements.

While the finance sector is well used to dealing with regulation, mobile devices often go under the radar. Voice calls on mobiles can be recorded via the usual VoIP phone systems, but it is the other information that is exchanged using messaging apps that is of particular concern. 

Recently it has been reported that ‘almost half of the cyber-security incidents reported in the UK during the past year were caused by internal errors, where employees failed to follow security protocol or data protection policies.’ Furthermore, 70 percent of financial companies faced a cyber-security incident, and the number of attacks are increasing year on year.

How secure are Messaging Apps?

Many consumer-grade messaging apps are called ‘secure’ because they encrypt data sent between devices (‘encryption in transit’), but there is a lot more to security than simply encryption. Encryption on the device, otherwise known as ‘encryption at rest’, protects contacts, messages and confidential documents within an app. If the phone is lost or stolen, the finder or thief can’t read the data on the device without also having the user’s passcode or biometric fingerprint.

The National Cyber Security Centre (NCSC) recently published its first UK Cyber Survey which reported that breach analysis found 23.2 million victim accounts worldwide used 123456 as a password. Encryption is extremely hard to crack and is almost never the attack vector, because there is usually a much easier route in – like weak passwords.  Encouraging users to make good password choices is a vital part of protecting business data, and it doesn’t stop there.

Beware rogue apps and rogue users

With a jailbroken iPhone, it is possible to install apps and tweaks that aren’t authorized by Apple. However, by doing this it also removes the tough security protections that Apple has built into iOS. Not all apps are created equal, some may be harnessing malware that can snoop on users by stealthily hijacking the microphone to record conversations. While jailbreaking undermines the phone by fundamentally changing the whole operating system, a user can cause just as many problems by installing apps that request a swathe of unnecessary permissions, allowing access to location, audio, files, contacts, etc. that the app doesn’t need, but for commercial or malicious purposes reports back to the app vendor.

How secure are Attachments?

Only recently, research from Symantec found flaws in Android that allowed so-called media file jacking, where malicious attackers are able to manipulate and modify media files such as commercial documents, photos and recordings in WhatsApp and Telegram based on the users’ settings.

As well as the integrity of files, another issue to keep in mind, is where your data is being stored when you use mobile comms apps.  There is currently a high profile lawsuit being filed against Apple, claiming that iCloud storage is actually, in some instances, farmed out to other suppliers such as Amazon Web Services and Google.

Sharing your contacts with the world

As well as knowing where your data is being stored, it is vital to keep control of your contact lists. Some consumer grade apps, such as WhatsApp, automatically upload all of your native contacts to the WhatsApp/Facebook server when you install the app, so that it can cross reference your contacts and enable you to call them using the app.

While this might appear to be user-friendly in our social lives, in a corporate environment it is very different. If you use a corporate device in this scenario, you are effectively sharing other people’s personal details, without asking them.  This would be a contravention of GDPR, which opens up the business to potential fines of 4% of global turnover. 

Fully Auditable mobile comms

While these consumer grade apps are encrypted end-to-end which provides some level of security for the contents of messages and attachments, that also means that voice conversations can’t be recorded, raising a big question around compliance.

As well as the inability to record voice conversations consumer grade apps also fail to provide an audit facility for any of the other types of communications that take place.  And as previously mentioned, you have no control over where your data is held, so the case against these apps is starting to stack up.

With an enterprise-grade, certified mobile comms app you get the very best of all worlds.

  • An easy to use product with all the functionality of a consumer-grade app
  • Complete control of your meta data
  • Complete control of your contacts lists
  • Attachments that are stored securely
  • Audit functionality – for reviewing all communications including voice calls
  • GDPR compliance

Cyber crime is sharply increasing and attacks are growing more sophisticated. It is no longer just international governments that should be concerned about lost or stolen devices. With confidential business dealings and commercially valuable information stored on smartphones and laptops, any organisation with intellectual property to protect should be assessing the risks and taking actions to mitigate them.

Armour’s solutions for secure communications work on everyday smartphones, tablets and desktops. With the same usability as consumer-grade apps, but with significantly enhanced security one of our solutions could be the simple answer to your security needs.

About the Author

Dr. Andy Lilly, CTO and Co-founder of Armour Comms, has over 20 years of experience in voice, video and IP software technologies, with secure mobility being the focus for the last 8 years. As CTO of Armour he leads the development of its portfolio of next-generation encrypted communication solutions. Previously he has directed work on world-leading video-over-IP products, system-critical satellite software at Airbus, and a wide range of defence systems at Nortel Networks, from military adaptive antennas to radar systems.