Blackphones: A human-centric approach to cybersecurity?

People are the biggest hole in your defenses, could secure smartphones help shore them up?
11 June 2019

The answer to BYOD security issues? Source: Shutterstock

The simplest way to give away your organization’s secrets is to employ people. Hackers are targeting the humans that work in business much more than they are trying to attack the perimeter of a company’s network.

People are a much softer target than the deliberately-hardened and monitored protection systems that organizations employ, like firewalls and intrusion detection systems.

Additionally, the people that work alongside you every day have some terrible habits: they share passwords and credentials with one another, set simple passwords, and use the same easy-to-crack passwords on their personal accounts as they do on the systems that give them access to highly confidential business data.

As if the situation couldn’t get much worse, most companies actively encourage their employees to use their own hardware such as phones, tablets, and laptops for work: BYOD saves equipping every employee with new hardware and lets people work out-of-hours, too.

People-centric security was a recurring theme at the recent Infosecurity Europe 2019 event held last week in London’s Olympia: how to “tie down” and manage BYOD hardware and ensuring communications and data are encrypted were two areas well represented by many vendors’ goods and services.

While it’s difficult to prevent people from losing devices altogether, at least the data on those devices can be encrypted at rest, should it fall into the wrong hands. That type of technology has been around for a while as a built-in feature of devices from many manufacturers, but several companies are taking that particular issue further.

Encrypting messages, emails, and even cell information are all possibilities, depending on the particular nature of your business. One of the best-known ways of achieving this is via Silent Circle‘s eponymous application, which provides secure communication via voice & text, very secure file exchange, and operates point-to-point.

That type of methodology can be taken one step even further: mesh networking frameworks can be used to circumvent cell networks altogether, and also have the added bonus of allowing cell-tower free comms, in remote areas, for example.

Once we accept that data breaches are inevitable rather than unlikely, our security stance can change comprising actions that minimize risk, rather than cut it out altogether. It’s with this in mind that so-called ‘black phones’ find a market.

These devices are often rebadged stock Android phones with a few additions, and a revised Android version. The Silent Circle Blackphone 2 is one such device: especially secure used on the same company’s Silent Phone service, a subscription model that ensures cell data is as secure from interception and decryption as possible.

Finnish company Bittium takes the black phone concept, and instead of using “found materials” it builds its own phones in a facility in its native country. If one of your staff loses their Bittium ‘Tough Mobile’ phone, and someone cracks open the case, the data wipes itself. VPNs and encryption are also baked-in, as is a level of granular control by the company’s Mobile Device Management platform that extends to over 100 parameters.

The Bittium dual-boot framework: swipe to switch between work & play. Source: Bittium

Bittium currently offers three phones, with options that opt out of the opaque Google “services” that track your movement and potentially channel select data to Google’s data centers.

The top of the range Tough Mobile C solves the BYOD vs. work phone conundrum by containerizing two Android OSes, entirely separate from one another: one for home, one for work. That demarcation between work and play is something that’s been a feature of Android since version 7.0 (Nougat) in the various guises of Android for Employees, Android Enterprise, and Android for Work.

Samsung’s Knox purports the same type of functionality too, with limits being placed, if desired, on some of the more insecure elements of the Android OS, like ADB connections, boot path changes and “rooted” phones.

Naturally, any employer who is accepting of the fact that his or her employees are using their own devices for work will want to manage those devices to some extent, in the same way that the work desktop is often an approved and overseen image. That’s where Enterprise Mobile Management Solutions (EMMS) come into the picture.

Solutions from MobileIron (featured on our sister site, Tech Wire Asia) provide a virtual workspace and bespoke “Play Store” from which staff can download pre-approved applications. The EMMS then manages that ring-fenced area of each user’s phone or tablet, so updates or new apps can be pushed out, security policies applied, and whole apps and repositories remotely wiped in the event of theft or loss.

Ever since cybersecurity became an issue, IT teams have had to balance along a high wire, with a secure yet effectively unusable networked enterprise on one side, and a more work-friendly, goal-focused yet potentially disastrous security posture on the other.

Unfortunately today, the consumerization of technology means that every employee has the potential to wreak havoc, whether that’s their intention or not. And while technology can’t cure fallibility, many of the companies that appeared at Infosecurity Europe 2019 last week can help narrow the odds of data disaster.