A guest article by Tyler Cohen Wood
Tyler Cohen Wood is a cyber-authority with 17 years of highly technical experience and 13 years working for the Department of Defense (DoD). An Internet Intelligence expert and author, Wood is relied on for her wealth of knowledge, insider experience, and tried-and-true techniques. Join her for a free webinar, sponsored by Verizon, on May 25th at 2 PM ET and learn about data, privacy and how to avoid attacks that can derail your business and life. Register now!
A late 2015 report from insurer Nationwide revealed that 63 percent of small business owners have fallen victim to at least one type of cyberattack.1 The risk to small business owners’ intellectual property and tradecraft is greater than ever before. One cause of this is that businesses rely on software and automated remote methods to conduct their business and secure their data and client transactions. The more software, hardware and digital remote devices we rely on, statically the more vulnerabilities we face.
In today’s fast-paced business world, working away from the office using mobile devices for telecommuting and productivity has become mainstream. But how do we know what private data, tradecraft or intellectual property this technology might be unknowingly giving away to corporate spies, hackers or data marketers? You probably assume that your text messages, contact list, photographs, location information and business documents are private. In fact, that couldn’t be further from the truth.
We used to keep our work and personal lives separate, but now we use the same digital devices, such as smartphones and tablets, to connect to both. New threats and attacks surface constantly and are reported on frequently. These news stories demonstrate that corporate intellectual property (IP) and tradecraft are more at risk today than ever before. The threat comes from many directions, but one of the biggest perpetrators is something that I call application permissions creep. This is a term for the phenomenon that occurs when an application (or “app”) or that you use for one purpose has access to other apps or system functions on your digital device.
Most of us accept and know that when we use our digital devices and apps that the developers of those commercial applications are potentially collecting and selling information that we might deem to be our private data, such as our device IDs, geographic location, hobbies, friends, politics, where we are at a given time, employment data, information about our children, etc. Big data analytics are good at their job—they are able to piece together very detailed and accurate patterns of our lives. But most apps tell you exactly what data they are collecting in their terms of service and what they can do with it: usually sell it to third parties or use it for marketing. They may even own the rights to the content that you post to their servers. In the permission and privacy settings on your device, apps will also tell you what permissions they have to other areas of the device, such as text messages, email, photos or other apps. We might consider this an invasion of privacy or mildly annoying but, again, they tell you they are collecting your data and what other access they have to your phone.
This becomes a serious threat to businesses whose employees use smartphones, tablets or other digital devices to connect to corporate networks and conduct business. At risk to these businesses is their very intellectual property or tradecraft.
First, what is at risk?
Because we use the same digital devices for our work and personal lives, most people have personal and work apps on their smartphones and tablets. Many apps will track your movements and/or show your geographic location. In fact, in order for some apps to function properly (such as GPS, restaurant finder or “check in” apps), they need to use your location to give you directions or find the closest restaurant to your location. “Check in” apps require your location to post where you are. If you read the terms of service for these applications most will tell you exactly what information they collect on you, like your device’s identifiers, account information, location information and what they do with that information, such as sell it to third parties or use it for marketing purposes. Some applications may not tell you that they’re using your location services or what they’re doing with that data. Why is this an issue? Perhaps your company is a public relations or legal firm and the very places your employees go to meet with clients could be considered corporate tradecraft, since you don’t necessarily want anyone else knowing where or with whom you do business. Suddenly that location information takes on a new importance.
But it gets worse.
If you read the terms of service for each of your installed apps and go to the permission and privacy settings for each of your apps, you might be shocked at what apps have access to. A popular Android application states in its permission settings that it has the ability to read, write, store and sell your text messages along with the ability to use your microphone to record audio without your knowledge and view any documents that you store on your SD card. This is much more common with apps than you might think. Suddenly, that private text message you had with your employee takes on a whole new meaning. How comfortable would you feel knowing that the e-reader app or the app reading my text messages and everyone that they can sell data to now have access to the full contents of that confidential document? Most apps will ask you to acknowledge these permissions, but some will just claim permissions that extend the needs of that application, depending on your smartphone and operating system.
Not all apps or digital device operating systems are created equal when it comes to privacy and self-containment. Apple’s iOS (used by iPhone) is better about sandboxing (containing) system level applications such as your text messages than other operating systems and does a good job of asking you before allowing an app to have permission to things such as location information and contacts lists. iOS tends to do more in general to protect from application permission creep such as allow you to turn off the app’s ability to do things such as turn on your microphone or read your contact lists but it certainly is not immune. Even though most application permissions creep occurs with legitimate apps, that’s not always the case. Some apps are maliciously created with the intention of taking your information. Even though apps are reviewed before being offered by Apple iTunes, some sneaky apps can get through. The Google Play Store is much more open, and freely allows apps of questionable origin to be downloaded by anyone. In the past, Android has tended to be “all or nothing” and you did not have the ability to turn off the apps’ access to other parts of devices. That being said, the Android release now being rolled out to devices is supposed to give the user this ability.
The most important thing that businesses can do is educate their employees about the dangers of application permissions creep. Always read the terms of service and check the permission settings for all installed apps, whether for personal or business use. Make sure you know what apps your employees have on their devices that are connecting into your network or are being used for business. Research the permissions that those apps have to the areas of your phone that could contain corporate IP. Work with your IT department or a consultant to figure out which apps your employees can install on their devices if the company is footing the bill. There are also software applications for businesses that do a respectable job of separating personal apps from work apps and are worth the investment. Also, if it’s financially feasible for your company, consider getting employees separate smartphones or tablets that are to be used only for work.
It’s crucial that you not wait too long to determine how application permissions creep might be affecting you and your business. The more time goes by, the more your data might be at risk. Follow the tips above and secure your corporate IP and tradecraft before it becomes compromised. It’s always easier to prevent an issue than it is to attempt to fix one.
Contact the editor: firstname.lastname@example.org