Another high profile data breach may not come as any surprise in this age of cyber theft. But this one from Starbuck’s mobile app sounded preventable—at least on the surface.
Some Starbucks customers had money siphoned from their account by way of hackers who gained access to their accounts.
Starbucks blames poor passwords for this security breach. So here’s a word to the wise: If you are a user of this popular app, be sure to change your account settings and create a stronger password as quickly as possible. Cyber security experts warn that, because of human error, passwords protection just isn’t strong enough.
Despite the implications of poor passwords, this problem may only hide other glaring security mistakes. In other words, whether Starbucks could’ve prevented the data breach is debatable since this threat went under the radar of Starbuck’s IT security team. Could a more robust mobile application security plan have detected this threat to mobile accounts? Maybe.
People choose easy-to-remember passwords and many reuse them for other sites
“Fraudsters took advantage of a weak front door — in this case a system that relied fully on customer propensity to choose strong passwords,” said Cherian Abraham, a mobile payments consultant at Experian. “That hardly ever works out well, because, as consumers, we choose what’s easy to remember.”
Often it takes a dramatic security breach (and a few upper-management heads to roll) before corporations will act. After a massive Target security breach last year, the company’s CEO Gregg Steinhafel resigned.
“Island-Hopping” happens when a hacker gets a password and tries to use it for other log-ins
But here’s another question: Once a hacker gets into your mobile device through an app, can he or she gain access to other data on that device? That answer is horrifyingly yes. And they’ll use that same password to try to log-in to other websites you frequent.
As an IT decision maker, you probably have a Bring Your Own Device (BYOD) policy in place or are in the process of considering one for your company. You understand the challenges and headaches that can come with securing corporate data on employees’ mobile devices.
Besides stronger passwords for apps, here are seven must-haves that businesses should consider for enhanced mobile application security. These are crucial to helping curtail a security breach of your company data through a mobile device.
1. Secure remote access
Secure remote access sets up a private, encrypted connection between mobile devices and the corporate network, making transmitted information indecipherable by hackers. Such a solution should protect information in all locations, from the corporate campus, to home networks and public Wi-Fi hotspots.
Encryption can protect corporate data even if a stolen device lacks password security. If all corporate data saved on the device is in a separate, application-based workspace that the IT department controls—then IT personnel can manage the entire encryption process. As soon as a user switches to an application outside the workspace, the protected corporate data and enterprise apps on the device is automatically locked.
3. Data leakage protection
Data leakage protection (DLP) helps eliminate the intentional or inadvertent transfer of data from a mobile device. For example, DLP allows an Excel spreadsheet to be viewed by any authorized application on the device and prevents it from being opened by or saved to any untrusted application, such as a cloud app that might utilize shared folders.
4. Remote wipe
Remote wiping provides corporate IT with the ability to access a device remotely and erase the corporate data and enterprise apps on it, leaving the personal data untouched.
5. Identity and access management
Identity and access management (IAM) validates which device is accessing the network, who the user is, and where the device is located. It then allows access to specific services and data depending on the user’s role. A unified approach to accessing corporate data and applications includes an access control policy, separation of duties, and single sign on (SSO). A comprehensive approach includes both mobility and traditional on-premise access.
6. Policy management
A policy engine drives long-term security, defining users’ roles, which devices they have, and which applications and data they can access under what conditions. A robust policy management solution enables IT to configure each device easily for everything employees need: access, passwords, applications, personal identification numbers (PINs), device timeout, and beyond.
7. Compliance reporting
Compliance reporting provides easy access to everything in the mobile security environment: users, devices, applications, rights, and more. This ability makes it easier to avoid and identify problems, and when a new security issue is announced for a browser, for example, IT can quickly identify which devices need patching and ensure they get patched.
With these seven security capabilities in place, a mobile-enabled enterprise is better able to provide the services users demand while protecting the organization from threats.