Authorities should be professional paranoids because they work with critical data and access confidential sources. In large companies specialists develop security policies (what can and can’t be done to information in the workplace), manage access rights, control communication and data transfer (IDS/IPS solutions, DLP, SIEM systems, file audit software get installed to track this). And if you follow the instructions the risks of losing data are reduced to zero. But the likelihood that employees will become victims of a social engineer is ever-present — they might respond to manipulation, install malware or do something dangerous. The only advice which can be given in such a situation is to remain fastidious.
Another problem which is even bigger is the usage of personal devices, mostly smartphones, and services. They are portable and can be used everywhere. The issue is in the security — they are less protected than corporate devices. Here are the major threats and preventive measures:
The instruments of spyware are as limitless as the features and capabilities of devices which they are installed on. Spy apps can use a speaker and listen to anything they want, access camera, make photos and record video, show geolocation, contacts, correspondence and negotiations, files, etc.
Malware can reach a device if a violator gains physical access to the gadget. Taking into account performance of contemporary devices it takes a few seconds to install spyware. You can install a spy app on a smartphone or a PC yourself taking it for a simple application or any other useful software. Even such official stores as AppStore and GooglePlay don’t check the source code of the software where spy tools can be wired in. Excessive permissions the software wants to get can indirectly indicate their dubious nature. There is a textbook case featuring a flashlight app which needs your contacts, photos and geolocation. Taxi apps don’t surprise you anymore with these requirements, while the service can use the permission received from you to actually find your location or to spy as well.
It is difficult to learn whether a spyware is installed on a smartphone. You can’t tell it by the speed your battery gets discharged. The battery is affected by many different factors, and the activity of a spyware is only one of them. That’s why all there’s left to do is to comply with security requirements. Don’t put anything downloadable into your phone, that will help you to minimise risks. If an app is famous and time-tested you will hardly hit a malware. It is not a 100% guarantee but such apps as Outlook for your phone will most likely be a safe choice whereas some app simply called ‘’email” uploaded by an unknown developer might be a trap.
Technical preventive measures imply regular update of already installed applications (developers patch discovered vulnerabilities and these patches can be downloaded), not turn antivirus off on a smartphone and try to always update an OS. When a phone gets old and don’t receive updates anymore it is advised to purchase a new one. It also makes sense if you check which apps are running in the background and have too much access. For example, Uber app activity became reason for a scandal — it appeared that even when geolocation was off the service kept receiving information about user location. This is only one of the examples, that’s how many other apps work. Some do need to collect data in the background, for example, smart stations have to be always alert and ready to respond, so they listen to anything what is going on. The problem is in the fact that information is processed on the service’s servers and we don’t know who can access it and whether it is protected.
The latest Android versions allow you to cease background access. Unfortunately, it can’t be done on a PC, a user can’t turn off excessive access with OS instruments.
The advice to take the battery out in order to avoid tracking was relevant for earlier phone models (when control was conducted not at the level of spyware but at the level of GSM cells). The architecture of modern smartphones is close to the PC’s architecture — when there’s no battery the OS isn’t launched, therefore spyware isn’t launched. That’s why it is enough to switch the phone off during a meeting.
It is much easier to become a victim not of a technical conspiracy but of your own negligence. Violators often receive access to government sources and information because it appears to be unprotected.
All security rules forbid users to go to such sources as corporate services or email via browsers through public access points. This is not just a preventive measure, browser traffic is easy to intercept, and there are many ways to do it. The same thing can be said about confidential negotiations conducted on the phone. There are methods of conversation interception, they are expensive and complicated to implement but if someone really needs to listen to you it won’t become an obstacle.
Messengers using end-to-end encryption (WhatsApp, Viber, etc.) are relatively safe to conduct correspondence and exchange files. But remember that they aren’t perfect — experts found vulnerabilities in them. Besides, users happened to fall prey to simple human factor when content of secret chats was disclosed due to negligence of one of the participants of a conversation.
Another measure to take is to limit the usage of public services in the workplace. They aren’t suitable for storage and transfer of confidential information and sensitive documents. It takes little time to hack private email, social network messengers — accounts or servers. User agreements which we don’t read make it clear that data is sent to third parties for analytics improvement which is actually a specific payment for free services.
For many it became a revelation that information from secured services sometimes goes public due to confidentiality misconfiguration. GoogleDocs documents could be occasionally found among results of another search engine. Experts used to find UN secret documents and files of other organisations on Trello, online organiser. Users forgot to change the settings from public to private and documents were indexed reaching everyone’s attention.
The last thing to be mentioned — information exposure due to nonchalance, talkativeness. Confidential details can appear on some journalist’s photo, social network page, etc. This is how information can be leaked by some stranger, even if it belongs to dignitaries. Here you can have a look at the incidents which happened because of the U.S. President Donald Trump. People’s confidence that they are out of risk often becomes a misleading illusion. Even the most professional managers neglect security settings and “digital hygiene” rules and become victims of social engineers and phishers.