As details emerged about vulnerabilities in a popular social media platform that enabled the compromise of the voice communications of thousands, the app's users and some enterprise risk pros took note. The highlights from this breach illustrate that it's getting harder and harder to privately communicate on mobile phones using consumer-grade security - especially if you're a high-profile individual.
This issue becomes even more important as organizations have become more dependent on the uses of mobile devices due to the shift to work-from-home as a result of the Covid-19 outbreak.
Mobile device security, both for corporate-managed devices and personal devices being used for work, have never been more critical for enterprise risk management – and this includes managing risks for members of Boards of Directors and corporate executives.
Mobile Device Vulnerabilities
More recent reports showed that at the heart of the voice data compromise incident was a piece of commercial spyware that leveraged a bug in the encrypted communication app to completely infiltrate victim devices and upend the whole point of the social application’s consumer-friendly encryption channel.
The kind of nation-state profiling that some commercial spyware has been tied to may seem irrelevant to everyday enterprise situations. But imagine, for a moment, what the threat profile looks like for business communications channels when these kinds of tools are put into the hands of a wider range of attackers.
The truth is that commercial spyware is just the tip of the iceberg of what is possible when it comes to subverting business communication channels today. Technologies like cellular network sniffers and endless varieties of mobile malware are getting more prolific and pervasive by the day. This means that eventually anyone will be able to get their hands on tools to exploit mobile device vulnerabilities and to illicitly listen in on cellular network communications, with very low barriers to entry.
This creates a situation where whole new classes of cyberattacks are primed to break out of the spy-novel niche and enter the mainstream business world, including:
- Mass collection of corporate data to uncover company secrets like acquisition plans, contract negotiations or strategic roadmaps
- Development of intelligence profiling of high-profile targets to set them up for blackmail or fraud, and,
- Deepfake impersonation to carry out fraudulent schemes
Think about the ramification of these kinds of attacks if they're used to target some of the most important VIPs within a company, namely members of the Board of Directors. What kind of intelligence could attackers collect from board members by intercepting communications? What kind of attacks could they carry out? How damaging would these attacks be to your organization?
Enterprise risk officers that answer those questions honestly will readily see the plethora of opportunities for everyone from petty crooks to mafia ringleaders and tinpot dictators to victimize the board - and the organization as a whole. With that in mind, enterprises need to think seriously about how they can harden the communications channels their boards and their executives use every day. Doing so effectively will allow them to better:
Keep Corporate Intelligence Secure
Enterprises should take extra measures to keep communications between board members and other crucial stakeholders private lest they see important corporate secrets leaked to the public and to competitors. Criminals would love to dig up information from board members about potential M&A activity or other news that could move markets.
Protect Board Members from Compromise
Combine the interception of voice communication with the scalability of the cloud and the power of AI-enabled analytics and suddenly attackers have an easy way to create a whole database of material about targeted individuals to create a compelling intelligence profile. Locking down communications ensures that information like this is never gathered and never used for blackmail or to fuel convincing social engineering attacks.
Thwart Board Member Impersonation
Forget business email compromise (BEC) attacks, attackers are now starting to combine techniques like device spoofing or SIM swapping with the use of Deepfake audio files to convincingly impersonate executives. Doing so makes it possible to trick people in the organization into thinking that the higher ups approved large bank transfers or other sketchy maneuvers that benefit criminals.
Enterprises must meet this threat with measures to secure voice and text channels and ensure that people know who they're really talking to with solutions that can validate identity with multiple factors. The first factor is confirmation that an actively approved device is in use validated by security keys, and the second factor is to authenticate the person being communicated with using biometric data. Lack of identity validation is a vulnerability above and beyond technical exploits or the use of spyware.
Ensure the Privacy of Board 'Shop Talk'
Board members need to be able to talk frankly amongst themselves without the worry that their conversations will be spied upon—whether by external or internal forces. Enterprises need a means to ensure not even the CIO or IT team will be privy to calls between board members.
Board members are, of course, only one vulnerable class of users that enterprises must seek to protect from the growing threat of voice communication attacks. Other at-risk demographics include executives, frequent international travelers, legal advisors, and remote workers. At the end of the day it is crucial for risk management teams to think critically about the kind of damage attackers could wreak in your environment if they were able to subvert the voice calls of certain individuals.
This is not an insurmountable risk to mitigate. In fact, for an investment that's probably less than the cost of several board meetings each year, you could secure your executive team and board communications and take back control of the power of the phone. These same strategies will also serve to better secure your expanded remote workforce and ensure your business continuity efforts to respond to Covid-19 don’t put your organization at risk of compromise.
BlackBerry is offering a free of charge use-period for a suite of remote productivity, security and communications tools to enable organizations to continue their operations as they take the necessary steps to respond to the crisis. Learn how to obtain product licenses for your company or email firstname.lastname@example.org for assistance.