BlackBerry remains the only mobile vendor that places enterprises first and doesn't rank them someplace after the casual game developers. At its enterprise security briefing in New York this week, BlackBerry brought out company experts as well as those from industries such as healthcare, banking and government.
While the event showcased BlackBerry's acquisition of German security firm Secusmart, which is known for security over voice calls, it was the panels that were both the most interesting and the most frightening. We aren't even thinking about some of this stuff right now. If we don’t get a clue, the experts say we're due for a "come to Jesus meeting" with our CEOs and/or boards as a result of an avoidable data breach.
Your call may be monitored for quality assurance – and spying
We focus so much on data security that it's easy to forget about voice. To drive home the point, attendees heard a conversation between a U.S. diplomat and a peer that the Russian government recorded and then leaked with the media. The diplomat shared his true feelings about the European Union, using a four-letter word I can't repeat here.
[ Former FBI Agent: Government Records and Stores Every Phone Call and Email ]
Imagine the damage this call did to U.S.-European relations, not to mention the conversation the security team and that diplomat had with their superiors once this call went public. (It kind of explains why the EU hasn't supported our requests for Russian sanctions – and why Russia wanted to share the call in the first place.)
Unless we encrypt our calls, we should realize that they're likely being recorded. With smartphones and the right technology, encrypting voice calls is relatively easy now, but landlines are very difficult to secure, particularly if they don't go to current generation PBXs. A call to someone's home will almost always be vulnerable.
What we say may show up again, in damaging fashion, when we least expect it. Given how broadly this monitoring occurs, and given the improvements in voice-to-text tools and unstructured data analytics, many of us may wish we hadn't thought our cell phone conversations were confidential when we spoke our minds. Increasingly, they are not.
How secure are the wireless access points in your car?
One concern surrounding the whole Internet of Things wave that's breaking across the world is a lack of focus on securing the things that we're connecting. For example, cars can be compromised by hacking wireless technology such as a car's mobile hotspot or even the wireless connection to the tire pressure monitoring system. That's frightening. Consider the trend of self-driving cars and the opportunity for a disaster increases dramatically.
The event highlighted Audi as one carmaker working to get ahead of this – but at some point, particularly for fleet deals, security must be part of the conversation with vendors. I doubt many CSOs imagine the when all of their firm's delivery vehicles suddenly became homicidal. I don't even want to even consider what this means for the big push in delivery drones.
How confidential are the calls with your lawyer?
The final speaker at the event came from the multinational law firm Skadden. In litigation, maintaining client-attorney privilege can make the difference between whether a case is won or lost, as well as how much of a judgment is assessed at the end. How often do we audit the security of the law firms we use, making sure we don't pay legal fees only to lose because a firm isn't secure enough?
I'm often engaged in multiple legal actions that could be compromised if litigation strategies are leaked to the other side. It makes me wonder if I should avoid law firms used by governments or pharmaceutical companies, since they're most likely to be penetrated, with the information that's pulled released accidentally. If anything related to my own efforts gets out, I'm in trouble.
What you don't know can kill you, or at least kill your career
What I took away from the BlackBerry event is that we don't look at security problems holistically. We aren't as concerned as we should be about the Internet of Things in general and driverless cars in particular. (I'm really going to watch the self-driving cars in my area more closely given Google's horrid security record).
I'm reminded again about the security test we did at IBM decades ago. We set up the most secure site we could engineer and then challenged a former spy and security expert to break in. He did, in a matter of hours, by penetrating an insecure site connected to our impenetrable security showcase. We have to look at security holistically.
Finally, it's a huge mistake to not treat voice like data. It's easy to capture and mine voice calls thanks to mobile devices. As one expert at this event implies, unless you have a secure phone with the encryption running, treat the call as if it's being monitored by one or more governments.
This story, "Nothing is secure, your calls aren't private and your car could kill you" was originally published by CIO.