The online community was recently abuzz over Vizio’s agreement to pay $2.2 million to settle FTC charges that the company’s smart TV’s had been collecting and data about user viewing habits without their consent. The company reportedly sold that data to third parties, who used it for targeted advertising.
A growing minority of observers has long suspected that these actions by Vizio and other companies are the tip of the iceberg. Smart electronic devices with embedded cameras and microphones are susceptible to being hijacked by both advertisers and hackers, who can use those devices to surreptitiously spy on their owners. Those who might argue that this is mere paranoia should consider that potential high-level hacking targets, including Facebook founder, Mark Zuckerberg, and Pope Francis, have covered and blocked the built-in cameras on their computers and tablets. If advertisers can co-opt electronic devices to invade their owners’ privacy, hackers can certainly access those devices to steal data and wreak havoc in a corporate network environment.
Organizations that seek to protect their networks from unauthorized mobile device incursions can start by implementing a strong mobile device usage policy among their employees. This includes requiring passcode protection, limiting or precluding employees from using unsecured wireless networks to connect their devices into a corporate system, preventing employees from downloading unauthorized apps onto mobile devices, and regular updating of security and operating system software on mobile devices.
A second level of protection may be more difficult for an organization to implement. Specifically, employees’ personal mobile devices may not be secured to the same extent as a corporate device. Organizations can block access to a network by an employee’s personal mobile device, but if that device is compromised to the extent that it is listening to and monitoring an employee’s actions, everything the employee says and does has the potential to create a leak that can be used to hack into an organization’s information systems. Employee education can raise awareness of this problem, but it cannot altogether prevent it.
Apart from the sense of an invasion of privacy that is fostered by an advertiser’s secret data collection through mobile devices, little harm generally arises from that activity. The same cannot be said for a hacker’s data theft. A hacker that uses secretly-collected data to break into a corporate system can leave a trail of direct and third-party damages and financial losses that can permanently impair an organization’s health. No organization is immune to these losses, regardless of its size or the nature of the data that it stores in its systems. For this reason, many organizations are looking into cyber security insurance quotes to protect them against these losses.
A growing number of corporate insurance carriers are expanding their offerings to include cybersecurity insurance, and other new insurance companies are entering the field to provide specialized products that were not available as recently as ten years ago. Cybersecurity insurance can provide reimbursement, for example, for direct losses associated with hacking damage to internal servers and data storage devices. More importantly, if a successful hack attack results in an organization’s loss of personal customer data, cybersecurity insurance can cover some or most of the costs of implementing protections for those customers to confirm that their data is not used for other purposes that can lead to greater losses.
Cybersecurity insurance carriers are also developing special expertise in working with their clients to help them erect greater barriers against hack attacks that directly target internal networks or that seek indirect access to those networks through compromised mobile devices.