Cyber crime escalates over the festive season, as an increasing number of consumers turn to online shopping rather than brave the busy malls. For many consumers in SA, this could mean shopping on their mobile phones.
Retailers are taking advantage of the 20 million smartphones in SA (according to 2015 data from the Mobile Marketing Association) to attract potential customers who don't necessarily have desktop or laptop computer access to online services and offerings.
With this increasingly convenient way to reach customers comes heightened responsibility to ensure their data remains secure. Security threats directed at mobile users are becoming increasingly sophisticated, with hackers now targeting mobile payment systems as well as mobile browsers.
Both retailers and other companies send personal and confidential data to users who access services via their mobiles. This personal data could be in the form of invoices, statements, policies, medical information or any kind of document that can be e-mailed or accessed via an app or Web portal.
Dealing with unsecured devices
Securing private documents on a mobile is a combination of the sender's responsibility in terms of encrypting and protecting that document; and the mobile user's responsibility in terms of ensuring the device is secure. Companies have no means of managing the inherent security of the mobile devices their customers use, however. This means companies need to apply security at document level in anticipation of the data being received and stored on an unsecured device.
Documents delivered by e-mail should be encrypted and password-protected. Basic PDF encryption is not sufficient; neither is using an easily identified password like an ID number. To really protect the personal data inside a document, it should encrypted and password protected with a medium to strong password.
If confidential documents or data are made accessible via a proprietary application, the application must not automatically log-in the user or store the login details. If it's not possible to add a security layer into the app process, then each available document needs to be protected.
Perhaps, most importantly, the company should continually educate its customers on emerging risks and the appropriate mobile device and application security. In as many customer touch points as possible, reiterate the security principles that will protect their confidential information.
It starts at the back-end
Companies must ensure customer documents are safe where they are created and stored, as well as when they are in transit, or sent to a mobile device.
Most documents created today are digital, and are managed by a digital document management solution. A digital document management solution should offer multiple layers of access control that enable the company to compartmentalise and restrict access to different customer documents.
The company should continually educate its customers.
Seniority or clearance should dictate what functions various employees can perform on a document: view, download or share. As an example, certain private records can be password protected, so if a customer requires a copy, a call centre agent can send it on when requested, without being able to view the details of that document.
The easiest way for criminals to breach security and access a repository of confidential documents is by tricking or compromising an employee. In a call centre environment, which suffers from high employee turnover, this risk is compounded.
Be sure all employees, and particularly call centre and other front-line agents, understand and operate by the company's security guidelines when it comes to accessing and sharing customer documents. Constantly reinforce to employees that they should never click on links or open documents from an unknown source, as this is a common method used to install malicious software that effectively puts hackers inside the secure network.
As cyber criminals continue to get smarter, traditional network and database security is not sufficient. To truly secure a customer's documents, multiple security layers are required, to the point of encrypting and protecting each individual document even if it resides on a secure network. This also ensures information sent via e-mail between a company and a customer cannot be compromised if intercepted or sent to the wrong recipient.
Make it a policy never to send or store documents containing confidential information in an unprotected state. An e-mailed or downloaded document gets saved automatically on certain devices and, if unprotected, is vulnerable if the device is hacked.
In order to secure documents from all vulnerabilities, a strong password approach is essential. This applies to the passwords employees use to access internal systems; the one a customer uses to log-on to a self-service portal; or even the password used to open an individual document. If the password is weak, all other security is bypassed.
Educate employees and customers on the value of using only strong passwords and the risks of using easily cracked passwords, such as '123456', 'abc123' or 'password'.
Share