A Data Spill from an Oil Rig: Protecting Mobile Devices from ‘Leaky’ Apps
The energy industry is increasingly a mobile (not Mobil, pun intended) enterprise, where foremen, floor-hands, roughnecks, and drillers use smartphones and tablets throughout the workday.
These devices contain vital information – including confidential data – about everything from codes to operate heavy machinery and geological studies about untapped reservoirs of natural gas and oil to the intellectual property about a company’s forthcoming projects and attempts to create cleaner fuels.
As these items become an integral part of an employee’s job, as more and more workers depend on these devices to speak with colleagues and deliver live updates from remote locations (in the Plains states, or in the deserts of the Persian Gulf or offshore from the California coast), security will become a top priority.
Specifically, there must be an effort to identify “leaky” apps: Unsecured mobile applications that hackers can manipulate to gain access to a wealth of personal content and professional material.
This threat is all the more pernicious because a leaky app does not reveal itself as weak or vulnerable; it may not have any of the telltale signs – the bugs, glitches, crashes and inexplicable delays – that other apps may display.
In fact, the majority of these apps operate as intended: They download, and open and run, all with the tap of a finger, without the slightest indication that a problem exists.
Take, for instance, apps from, respectively, Outlook.com, WebMD and The Weather Channel, all of which have proven (on Android devices) to be leaky. This challenge is not a minor episode in a much bigger and more relevant saga about smartphones and tablets.
When even the most popular apps are far from impenetrable, the energy industry needs to think about the implications of a “data spill,” which can be as economically disastrous as an oil spill is environmental.
Bear in mind, too, that most people do not know how the apps they use (for work or leisure) store sensitive information. Nor do they have a ready answer about whether an app encrypts data, complemented by a technical overview known as certificate authentication.
The public does not need to be conversant with these details, but the energy industry must become aware of cyber attackers who do, in fact, know these things . . . and can quickly use a leaky app to steal precious content, trade secrets, and highly-valuable information.
This is why workers near those derricks and aboard those tankers need to educate themselves about the toxic risks associated with leaky apps.
Again, this issue is not an anomaly. Our own internal audit shows that 60% of the 100 most popular apps, for business and/or recreational purposes, have a High-Risk rating in one or more security areas. All of these apps are available through Google Play and iTunes – and none of them would alert users that a cyber criminal is in their midst.
Thus, the energy industry must devise a thorough, rapid-response system to deal with this danger. Such a system would enable professionals to spot, fix or stop the spread of leaky apps.
This approach goes beyond addressing malware or targeted attacks and empowers individuals to control devices big and small.
Charting the Scope of the Threat: An Action Plan
An independent study by Gartner Inc. predicts the focus of endpoint breaches will shift to smartphones and tablets. The report concludes that the average cost of remediating a successful attack requires $8.3 million in outlays and repairs.
Vigilance is the best safeguard workers possess, especially when using mobile devices in harried circumstances and stressful situations. Basic things, like having a strong passcode and using the latest version of iOS or the Android operating system, can provide substantial peace of mind.
Workers should also avoid “jailbreaking” their smartphones and tablets, which makes these devices more vulnerable to attack. Employees should only use known and secure Wi-Fi networks.
If a company chooses to create its own app, there are certain best practices it should follow. For starters, confirm that the app does not store login credentials or other sensitive information on the device. If this is absolutely unavoidable, make sure the material is not stored in clear text, or stationed within an easy-to-find database. Use secure SSL/TSL protocols to protect data in transit.
Test, and retest (and retest some more) because the lifeblood of our economy is energy, and the energy industry cannot operate successfully when the devices workers use are themselves devoid of energy – exploited by data thieves and hackers.
The Panasonic Solutions for Business blog occasionally posts licensed third-party content we believe is relevant to our audience.
For more information on Panasonic mobility solutions, visit us online.