Safe to say, mobile technology and explosive BYOD trends over the last decade have upended the traditional workplace environment and with it, traditional security protocols. Gone are the days in which employees’ data remains squarely on their workstations between the hours of 9 a.m. and 5 p.m. These days, organizations offer some kind of remote working policy. That also means that the vast majority of corporate employees can remotely access company servers and data from anywhere at any time – often with little awareness or regard for its security.
And for many organizations, a mobile or remote working environment has taken a toll. Around one-third of organizations have experienced either data loss or a breach as a direct result of mobile working, according to research conducted by Apricorn and Vanson Bourne.
What’s more, a mobile working environment opens up attack vectors for security risks. According to the same survey, around 44 percent respondents expect that mobile workers will expose their organizations to the risk of a data breach, while almost half say employees are one of their biggest security risks. And seven in 10 respondents said they cannot be certain that their data is adequately secured when employees work remotely or on mobile devices.
And they wouldn’t be wrong. Mobile data is particularly vulnerable because it is actively traveling from one location to another over the internet or other spaces that are not necessarily secure. Meanwhile BYOD trends and the explosion of mobile devices have expanded the attack surface exponentially, increasing the organization’s overall security risk. That means that employees that could only access corporate data from a workstation can now access data from anywhere and at any moment using devices such as tablets and smartphones – all with vulnerable and/or poorly secured operating systems and keyboards that present low hanging fruit for attackers.
While a flexible work environment is still a “nice-to-have,” ensuring that corporate data is protected and secure remains a “have-to-have.” Consequently, the inherent security gaps created by a groundswell of mobile devices have also given rise to a need for robust authentication and encryption solutions protecting critical business data when employees are on the move.
Securing the data: Hardware vs. software
For authenticating users and encrypting data, organizations can go one of two routes–software-based or hardware-based – and both have their merits. Software-based authentication and encryption solutions – the most common – are embraced by many organizations for their affordability and flexibility. Among other things, they’re designed to protect data on a wide-array of devices within an organization, whether at rest or in transit, are cost effective and are easy to use and upgrade.
However, for organizations looking to ensure their mobile and on-premise data is safe and protected, regardless of user behavior, hardware-based encryption solutions provide the most secure option – for a lot of reasons. Among other things, they are self-contained without reliance on any additional software, and thus, not susceptible to the malicious attacks, vulnerability exploits and system compromise as their software counterparts.
Software-based encryption, on the other hand, is only as strong as the operating system on the device. A security vulnerability embedded in the device’s OS can also easily compromise the security of the encryption code. Once perpetrators take over the device’s OS, they also have the ability to bypass and/or shut down the encryption code altogether. Consequently, introducing software into any authentication or encryption processes creates a gaping new vulnerability that opens the door for keylogging, brute-force password attacks and other malicious hacking.
One of the biggest potential threats to software-based encryption are keyloggers – programs designed to secretly monitor and log all keystrokes – which are often installed as part of a Trojan or rootkit, enabling attackers to easily bypass security mechanisms and get onto a targeted device without requiring physical access to the machine. From there, perpetrators can intercept any confidential information entered via the keyboard such as PIN codes, account numbers for banking and eCommerce sites, online gaming information, passwords and other login credentials.
In recent years, keylogging attacks have gained popularity and momentum with cyber thieves attributed, in part, to the rapid expansion of the mobile attack surface along with the increased proliferation and sophistication of malicious programs with keylogging functionality. Underscoring this trend, the notorious keylogger Trojan known as “Pony” was responsible for the theft of more than two million usernames and passwords in 2014, many of them for accounts on high-profile sites such as Facebook, Gmail, LinkedIn, Twitter and Yahoo.
Those same vulnerabilities in software authentication can also pave the way for brute force attacks – a method used by cybercriminals to decode encrypted login data such as passwords and Data Encryption Standard (DES) keys, via extensive, systematic trial-and-error techniques that essentially guesses the password in order to “force” their way into the system. As with keyloggers, flaws in the software authentication process opens the floodgates for hacker bots to successfully infiltrate a system. With software-based solutions, miscreants will have the ability to locate and reset the counters as well as copy the encrypted file to numerous systems in order to simultaneously conduct multiple cracking attempts. Once login credentials are cracked, cybercriminals will benefit from unrestricted access to corporate data for economic gains, cyber espionage or brand destruction.
Conversely, hardware-based encryption entails safeguards preventing hackers from executing brute-force attacks simply because the crypto module will automatically shut down the system and possibly scramble or encrypt data after a certain number of incorrect attempts at the password has been reached.
In light of an increasingly mobile and remote workforce, implementing a hardware-based authentication and encryption tool resistant to these threats is now becoming non-negotiable when looking to protect data on laptops, tablets and mobile phones. The same applies to organizations in highly regulated industries such as financial, healthcare and government, required to adhere to compliance mandates while routinely targeted in key logging, brute force and other common attacks. But yet for any organization, sensitive corporate data will be better protected with hardware solutions, which provide much-needed, automatic safeguards even if the drives are lost, stolen or installed onto unauthorized computers. Because all software can be hacked. And nobody wants to be the next statistic.
