Meet us at CyberTech Rome, October 3-4, 2023

Book a meeting

Author: Omer Cohen

Navigating Compliance: Controlling IM Communications and Archiving in Highly Regulated Industries

Posted on by Omer Cohen

With stringent oversight and the ever-evolving legislative landscape, organizations operating within highly regulated sectors face a unique set of challenges. One of the paramount considerations is managing how information is shared by employees and to ensure it is adherence to industry-specific regulations.

This has become a highly complicated management task, with Instant Messaging emerging as a highly popular communications tool to send and receive information within organizations. This is why controlled IM communications and archiving are now essential elements of compliance and risk mitigation.

Meeting the Needs of the Regulatory Maze

Highly regulated industries such as finance, healthcare, legal, and energy are no strangers to the intricate web of compliance requirements. Regulatory bodies such as the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Health Insurance Portability and Accountability Act (HIPAA), and others wield substantial authority over these sectors. Non-compliance can result in severe penalties, including fines, legal actions, and reputational damage.

Within this context, the management of mobile electronic communications has come under intense scrutiny. Regulators require organizations to maintain and archive a comprehensive record of these communications. The rationale behind this is twofold: to ensure transparency and to facilitate investigations when necessary.

The IM Challenge

IM platforms enable swift decision-making, collaboration, and information sharing. However, their informal and unsanctioned nature poses unique challenges when it comes to compliance. Conversations happen quickly, often without the formality of emails, making them difficult to track and archive.

Furthermore, the use of personal devices for business communication, a common practice known as “Bring Your Own Device” (BYOD), complicates matters. In BYOD scenarios, distinguishing between personal and business-related communications becomes challenging, potentially exposing personal data to scrutiny during compliance audits.

In heavily regulated sectors, challenges arise when employees transmit files through applications, such as WhatsApp and Slack. These actions can result in data breaches and non-compliance with stringent regulations governing data confidentiality and security. Archiving these IM ‘conversations’ is infeasible despite regulatory requirements, due to technical and privacy challenges, forcing organizations to attempt to ban their use within the corporate environment.  

Difficulties Trying to Ban IM Communications 

Establishing and upholding a secure and compliant environment, with appropriate archiving, places a significant burden on organizations. This has left those who spearhead compliance policies struggling to control employees’ use of apps, such as Whatsapp, WeChat or TikTok, for work purposes. Indeed, the biggest concern for 61.5% of compliance leaders is “getting employees to comply with rules for electronic communication.” 

Even more concerning is that only 3% of compliance officers “strongly believe” banning messaging platforms is an effective method of ensuring compliant communications within their organization. This is even though the majority (59%) has enforced prohibitions on the use of social media and messaging apps as a response to heightened regulatory scrutiny.

Increasing Regulatory Pressure

However, despite the difficulties involved, regulators are increasing the pressure on organizations to demonstrate how they are monitoring and archiving data exchanged using messaging apps. 

The SEC, for example, has been taking a tough stance on major banks for their failure to monitor and archive their employees’ messages on unauthorized platforms. In December, the SEC imposed fines totaling $1.1 billion on Citigroup, Bank of America, and Goldman Sachs, following a $125 million penalty against J.P. Morgan Chase in December 2021.

The extent of the investigation into text messaging practices saw the SEC request firms to furnish their policies and procedures governing the use or prohibition of text messages and the retention of communications associated with brokerage or advisory services. Subsequently, the agency seeks documentation revealing the individuals responsible for supervising these messages, the methods employed for monitoring and training, as well as the mechanisms in place for detecting violations. 

Across all sectors that have to adhere to strict regulations, the use of messaging apps is presenting one of the biggest compliance challenges to confront organizations.

How Organizations Can Quickly and Cost Effectively Ensure Compliance

The paramount objective of regulation revolves around safeguarding data, necessitating the prevention of data from leaving and residing outside the corporate network. Symmetrium achieves this with the creation of Virtual Mobile Devices (VMDs) situated within the secure confines of an organization’s network. These VMDs seamlessly align with existing enterprise network and regulatory protocols, assuring the privacy and protection of all data. This proactive approach mitigates against the risk of substantial fines.

Symmetrium’s VMDs employ P2P encrypted streaming technology, enabling employees to access data through a designated portal on their personal devices. Importantly, this access is view-only, ensuring that the data never traverses beyond the secure organizational network and is never stored on external user devices. This robust security framework guarantees the continual safeguarding and compliance of sensitive data, with no data ever residing on devices external to the organization’s IT environment.

A Simplified and Streamlined Approach 

The outcome of implementing Symmetrium’s VMDs is a simplified and more streamlined approach to managing data. Regulatory officers and Chief Information Officers (CIOs) benefit from reduced complexity, as Symmetrium’s VMDs seamlessly extend existing compliance protocols. They are effortless to deploy and provide a native mobile experience, instantly ensuring compliance through customized end-to-end encrypted streaming, with no data stored at rest. Each mobile user is treated as an on-premises endpoint, granting control over when and where data can be accessed.

Symmetrium’s mobile access solution boasts minimal operational requirements while meeting stringent security compliance standards, seamlessly integrating with established data access protocols. The result is compliance simplified into a single, user-friendly app.

The need for controlled IM communications and archiving is paramount in highly regulated industries. Compliance is not merely a regulatory box to check; it’s a strategic imperative for risk management, security, and operational efficiency. Organizations that embrace these solutions not only meet their compliance obligations but also position themselves for success in an ever-changing regulatory landscape.

Isn’t it time you reevaluated your approach to meeting your regulatory requirements? Schedule a demonstration with Symmetrium today.

How to Protect Data When Mobile is the Biggest Threat to Corporate IT Security

Posted on by Omer Cohen

The growth in BYOD policies and prevalence of hybrid work is seeing an increasing number of employees ditch traditional work devices in favor of personal ones. The result has seen cybercriminals shift their focus. They now see mobile devices as the soft underbelly of corporate IT networks and the perfect launchpad for their attacks. 

There are several reasons why hackers see personal mobile devices used in a corporate setting as an easy target. When managing these devices, mobile users frequently depend on the default security settings provided by manufacturers, as opposed to employing enhanced security software that is commonly deployed on their desktop computers.  Additionally, they often fail to regularly update their mobile operating systems, leaving their devices vulnerable to the latest malware and viruses. They also use a multitude of non-work-related apps, potentially exposing their device to being compromised. 

Cybercriminals have become adept at distributing malevolent APKs (Android application package files) through direct downloads and third-party app stores by masquerading unofficial versions of legitimate apps. By capitalizing on the familiarity of well-known app names, these malicious apps aim to infiltrate employee devices with malware. 

Highly regulated sectors, such as healthcare and finance, also face problems when employees send files via apps such as WhatsApp and Slack. These can be responsible for data leaks and contravene strict regulations surrounding the confidentiality and security of data. 

 

Lack of Adequate Security Protection for Mobile Devices

Despite these threats and the widespread implementation of BYOD (Bring Your Own Device) policies, there is still a glaring lack of adequate mobile security protection in most organizations. And this should make every CSO shudder given the results of research carried out by SlashNext

  • 71% of employees store sensitive work passwords on their personal phone
  • 66% of employees sometimes use their personal texting apps for work use
  • 59% of employees sometimes use their personal private messaging apps for work use.

Unsurprisingly, a growing number of CSOs are finding out the hard way that mobile devices represent one of the most vulnerable endpoint in their organization. But why, in an era where mobile device management (MDM) solutions enable administrators to control, secure and enforce policies on phones, tablets and other endpoints, is mobile still seen by hackers as highly exploitable?

The problem is that mobile presents a security threat that is bigger than the sum of its parts — beyond emails, calendars or messaging apps — because mobile devices interact with numerous systems, networks and enterprise data. Their escalating use in the workplace therefore means an ever-escalating array of devices, endpoints and identities. This means they require an entire set of resources to continuously secure, protect and manage their usage that few organizations have the resources or solutions to fully implement. 

 

The Achilles Heel Mobile Device Management (MDM)

The key flaw of MDM solutions revolves around their primary goal — to enable the centralized management of all endpoint devices and users. This approach encompasses various tools like mobile application management (MAM) and identity and access management capabilities. But focusing on managing devices and identity management is not enough. Employees have multiple identities — for email, WhatsApp, Slack, etc — and CSOs can fall into the false belief that by securing these various IDs, they in turn protect devices and data. But the Achilles heel with these solutions is that they, again, focus on securing devices and users — not data.

So, once users are granted access to the corporate IT network, the data they interact with on their mobile is stored on that device. Consequently, the data is no longer confined within the secure corporate network environment and is left exposed and vulnerable on the device it now resides on. Hackers exploit this by targeting individual employees who have access to confidential information on their mobile device, rather than exploiting a technical vulnerability

 

Addressing the Risks Posed by Remote Access 

The ultimate goal of security has to focus on protecting data and therefore needs to stop data from leaving and coming to rest outside of the corporate network. This is precisely where Symmetrium, a cutting-edge zero-trust data mobile access solution, steps in, facilitating productive collaboration while significantly reducing the chances of data breaches. This innovative solution effectively transforms any mobile device, be it managed or unmanaged, into a virtual extension of the organization’s network, complete with compliance, security, and IT protocols.

To maintain a secure and private zero-trust environment for data, Symmetrium offers a groundbreaking solution through its virtual mobile devices (VMDs). These virtual devices, residing within the organization’s network, serve as extensions of the company’s comprehensive security and compliance policies when accessed remotely by employees via their mobile phones or laptops. Leveraging end-to-end encrypted streaming, these VMDs ensure a seamless, completely native mobile experience with effortless deployment and management. Sensitive data is accessed virtually and therefore at no time sits on the user’s actual device. The result is that data remains secure and is never put at risk.

With Symmetrium at their disposal, organizations gain unparalleled control over the data accessed by their employees through mobile devices, ensuring robust protection against potential risks. The convenience of a centralized management console allows for efficient management of diverse devices, regardless of their brand or operating system, all while minimizing resource allocation.

 

Seamlessly Meeting Security and GRC Protocols

The seamless integration of Symmetrium effortlessly aligns with existing security and GRC (Governance, Risk, and Compliance) protocols, united under a single application. As a result, organizations can rest assured, knowing that their data remains safeguarded and secure, regardless of the device utilized for access, because Symmetrium: 

  1. Enforces strict network policies for seamless protection of sensitive data and compliance with regulations.
  2. Ensures Compatibility with various hardware and software configurations on multiple devices.
  3. Mitigates the risk of data breaches, malware attacks, and unauthorized access.
  4. Requires minimal resource allocation, optimizing efficiency.
  5. Delivers centralized management through a user-friendly console.
  6. Enables employees to utilize personal devices while maintaining their experience and privacy.
  7. Ensures a highly cost-effective solution, eliminating the need for device purchasing, maintenance, or upgrades.

Symmetrium’s streamlined approach empowers organizations to maintain unwavering data security, bolstering data governance, and fortifying against potential vulnerabilities with confidence.

Discover how easy it is to tame the threat of mobile security by booking a demo with Symmetrium here.

The Stealthy Menace of Spyware: How to Protect Your Workspaces

Posted on by Omer Cohen

The remote work revolution has transformed the modern organization. Employees and third-party vendors now frequently access the corporate network from remote locations, giving far more flexibility to organizations regarding, when, where and who can access sensitive data. This, however, has come at a cost, leading to security vulnerabilities that result from enabling remote access to corporate networks.

The potential of this threat was underlined recently when spyware was discovered in over 100 Android applications, whose cumulative download count was more than 421 million on Google Play.

Dubbed ‘SpinOk’, by antivirus company Doctor Web, once the malicious module is installed on victims’ devices, it stealthily steals data and files.

 

An Omnipresent Threat

Sadly, the omnipresent threat of spyware is just another security threat that puts organizations at risk, compromising privacy, and potentially leading to severe data leaks and consequences. 

Spyware works by infiltrating devices without user consent or knowledge. It can sneak in during software downloads from the internet, capitalizing on lengthy and convoluted licensing agreements that are commonly overlooked. It can also employ pop-up windows in web browsers to trick workers using their own devices into triggering a download. Once embedded, spyware operates discreetly in the background to steal sensitive information, such as login details, and data.

A total 39 percent of knowledge workers worldwide are forecast to be engaged in hybrid work by the close of 2023, according to Gartner. In the United States, this figure climbs even higher, with 51 percent of individuals adopting hybrid work arrangements, and an additional one-in-five identifying as fully remote employees. 

However, remote employees are just one security concern. From suppliers to software and resourcing needs, businesses are increasingly turning to third-party contractors. According to Deloitte, over the past five years, the use of third-party vendors has increased exponentially. This is exposing them to increased security threats.

This means that for organizations the obstacles to achieving a true zero-trust environment will remain. 

 

Vulnerabilities in Current Solutions 

With a heavy burden placed on the healthcare sector to be HIPAA compliant, the first line of defense is to ensure devices include the necessary safeguards to guarantee against theft and data loss through the use of a robust layer of security.
HIPAA regulations also require that ePHI data must be encrypted when transmitted over a network. The most popular way of doing this is to create a VPN through which VDIs (virtual desktop infrastructure) can connect to the data, therefore negating the need for it to be encrypted. This however raises problems.

Usage can be limited because a user needs to make sure no one else is using the VDI. This means they have limited flexibility and can be more difficult to scale as needed. This can be a problem for organizations with fluctuating user numbers or those looking to implement a bring-your-own-device (BYOD) policy. There are also security concerns as users operating in a VDI environment can as easily click on a malicious link in an email or on a web page as someone using a physical desktop. 

VDIs also require a heavy level of management and maintenance, which places a heavy burden for qualified IT staff where ongoing training and staff turnover can become problematic. To comply with HIPAA data encryption and data wiping tools may also need to be implemented and maintained. This can add to the management burden. 

 

Addressing the Risks Posed by Remote Access

Employees operating beyond the confines of the corporate network, leveraging personal devices to connect with sensitive business data, expose organizations to heightened security vulnerabilities. This necessitates addressing the expanded stack of identities and endpoints, requiring a comprehensive approach to secure, protect, and manage this multifaceted ecosystem. 

The core focus of securing remote access to corporate networks, implemented by most solutions, lies in managing the multitude of users and devices accessing sensitive data. By implementing robust solutions that facilitate increased cyber resiliency and remote access, organizations believe they can fortify their defenses. This entails mapping the intricate network of users and devices, enabling comprehensive visibility and control. Through this proactive management approach, organizations attempt to respond to emerging threats, ensuring that only authorized users and trusted devices gain access to sensitive data, regardless of their location or endpoint. This however is costly, resource intensive and has inherent security flaws.

 

The Solution to Remote Access Security Concerns

The problem with existing security strategies and solutions is that they focus on protecting devices and people, rather than a sharp focus on protecting the data. They also tend to require significant technology infrastructure upgrades or additions to implement the required secure zero-trust environment. 

Symmetrium revolutionizes this current approach by offering a device-agnostic low-resource solution that enables organizations to maintain their existing information and security technology infrastructure (and protocols?), while focusing on securing an organization’s data. 

This is achieved through the creation of virtual mobile devices (VMDs) that reside within the organization’s network perimeter, and integrate with established enterprise security protocols.  

Authorized remote and third-party users can securely access data using their own devices through Symmetrium’s VMDs. Leveraging P2P encrypted streaming, these VMDs enable users to view data without transferring it to external devices. This view-only functionality ensures that sensitive data never leaves the secure organizational network. 

By maintaining data within the protected perimeter, Symmetrium guarantees that information remains secure, mitigating the risk of data compromise or unauthorized access.

A Game-Changing Zero-Trust Solution

As organizations prioritize the implementation of zero trust, Symmetrium emerges as a game-changing solution. By offering virtual mobile devices that operate within the organization’s network perimeter and leveraging P2P encrypted streaming, Symmetrium ensures data remains secure and never comes to rest on external devices. This approach eliminates the need for extensive technology replacements, allowing organizations to seamlessly integrate Symmetrium within their existing infrastructure. 

With Symmetrium, organizations can confidently navigate the challenges of zero trust and embrace secure digital transformation, safeguarding their data against existing and emerging security threats, such as spyware, and maintaining a competitive edge in today’s evolving landscape.

Protect your workspaces from the ever-present threat of Spyware by creating a true zero-trust environment. Book a demo with Symmetrium here.

Why Enterprises Need To Rethink Their Approach To Third-Party Data Access

Posted on by Omer Cohen

Zero-trust security environments have a major problem — once a third-party user is approved and given access they can still wreak havoc, whether intentionally or not. A new, innovative solution using virtual mobile devices solves this flaw, creating the zero-trust environments needed to help highly regulated industries keep data private and protected.

The threat landscape organizations face is constantly in flux as new ways to access and compromise data evolve. But while many of these threats will emanate from adversaries, such as hackers and cyber criminals, giving third-party employees access to sensitive and confidential data is a growing security problem. 

Full-time staff can be clampdowned upon with strict security policies, but third party vendors many companies heavily rely upon are vastly more difficult to manage. The extent of this threat is underlined by the findings of the Intel471 threat intelligence report, which found that 51% of companies have experienced a data breach caused by a third party. 

Zero-trust strategies are a key defense against this growing threat, where a barrier is created around an organization’s IT assets and the default security posture is not to trust connections and grant the minimum of privileges. This requires all users and devices to be authenticated before they connect. 


The Flaw in Zero-Trust Environments

The problem, however, is that zero-trust policies are focused on protecting and managing users, and not the actual data. So when users are granted permission, the data they access using their mobile device sits on that device. There are, of course, endpoint data protection layers that encrypt or use data-wiping tools to digitally sterilize devices of sensitive data. But this happens after the user has had access to the actual data through their devices. This is highly problematic, especially in highly regulated sectors. 

Think of healthcare facilities, for example, where thousands of remote employees and third parties (from doctors to labs) constantly need to access highly confidential patient information, known as electronic protected health information (ePHI). The confidentiality, integrity, and availability of this data is highly regulated and any breach is subject to substantial sanctions and reputational damage. The failure to encrypt and protect mobile devices containing ePHI recently resulted in a $3 Million HIPAA (Health Insurance Portability and Accountability Act) penalty for a New York Medical Center after two reported data breaches occurred from a lost flash drive and stolen laptop

The financial services sector is also governed by strict data regulations, which place substantial pressure on securing remote and hybrid work environments given the adoption of bring-your-own-device (BYOD) practices. 

Power plants and large utilities, where thousands of third-party contractors conduct on-site maintenance all at once, are also highly susceptible to data breaches even though it is critical they keep their highly sensitive information secure. 

The one common feature and underlying security weakness linking all these sectors is their heavy reliance on giving third-party employees access to highly private and strictly regulated data. 


Problems With Current UEM Solutions

In an ideal world organizations would simply supply every vendor or contractor with a verified, secured and compliant device to maintain the integrity of their zero-trust environment. In reality, however, this is simply too time-consuming to manage and would slow down the productivity of third parties. Trying to implement security protocols on the devices of vendors and contractors is also problematic, as many of these will already be managed by the organization they belong to. 

For those organizations that have found a way to manage third-party devices, the onboarding and offboarding of these devices is a complex and time-consuming task for the IT department. This is because the current unified end-point management (UEM) solutions and strategies implemented by organizations lack the flexibility and low-resource approach to effectively manage high volumes of end points in a zero-trust environment to ensure data remains secure and they remain compliant. 


How to Effectively Ensure Secure Third-Party Access

The use of a virtual mobile device (VMD), a solution designed by Symmetrium, can now create the zero-trust environment needed to help highly regulated industries keep data private and protected, avoiding breaches and massive fines.

These VMDs are deployed to reside in, and become part of, the organization’s own IT environment. The result is a far easier life for CIOs and IT departments thanks to the less complicated management of zero-trust security environments for third party vendors because:

  1. Symmetrium’s VMDs become a virtual extension of all existing compliance safety and IT, offering a native experience and are seamlessly deployed.

  2. They immediately allow BYOD environments to become zero trust with custom end-to-end encrypted streaming and no data at rest, for everyone. This means that each mobile user is treated as an on-prem laptop, which they can control when and where users can access data.

  3. This minimum-resources mobile management solution needs very light operational requirements and delivers high security compliance demands that integrate smoothly into existing data access protocols. The result is the easiest onboarding and offboarding of third-party users with one single app. 

Even the most highly advanced data protection solutions and authentication protocols, still allow data at rest, thus making them vulnerable. This is where Symmetrium’s zero-trust data protection solution sets itself apart — data never leaves the confines of the organization’s network. It enables organizations to provide zero-trust mobile access with no data at rest. This allows productive collaboration with third-party vendors while dramatically minimizing the risk of data breaches. 

Isn’t it time you reconsidered your approach to third-party data access? Book a demo with Symmetrium here.

2023’s Potential Big Compliance Flaw — Bring-Your-Own-Device (BYOD) Policies

Posted on by Omer Cohen

Trying to safely manage a BYOD policy is a minefield of risks, which is why organizations are turning to an innovative zero trust mobile access solution to instantly resolve security flaws.

Almost 80% of US-based companies have used BYOD since 2018, but a growing number are discovering BYOD can often stand for “Bring Your Own Disaster.” This is because BYOD essentially extends the company’s network out into the world and exposes firms to risks related to client, employee, or corporate data. 

For most organizations the decision to implement a BYOD policy has lots to do with productivity and flexibility, but little to do with security. So while it can help organizations to be more efficient and effective, the security implications can quickly outweigh the benefits. Securing BYOD is a headache, and far more complicated and problematic than corporate-owned endpoints. This is why even the biggest corporations are at risk. 

 

Significant BYOD Data Breaches 

Global consulting firm, Deloitte suffered a substantial data breach in 2017, which was attributed to an administrator’s account being accessed after using an unprotected device. This impacted their email system and exposed highly sensitive client data, including that of the US Department of Defence. 

LastPass, an award-winning password manager, which saves passwords and gives secure access from every computer and mobile device, had its systems breached in 2022 after a hacker stole source code and technical information from a home computer belonging to one of the company’s DevOps engineers.

The growing culture of BYOD devices in healthcare is now also one of the biggest security threats facing the sector, according to the Cybersecurity and Infrastructure Security Agency (CISA).

 

Key BYOD Vulnerabilities 

 The underlying concerns of security professionals regarding BYOD deployment are data leakage (62%), users downloading unsafe apps or content (54%), and lost or stolen devices being compromised (53%), according to Bitglass’s 2021 BYOD Security Report

While many businesses have specific BYOD policies in place to guard against security vulnerabilities, enforcing them is problematic. This leaves organizations and their data at risk due to: 

Poorly secured Wi-Fi networks: When employees are working remotely using their own devices to connect to unsecured public Wi-Fi networks they can expose sensitive data to potential security threats. 

Not updating software: Personal devices may not contain the most up-to-date software and security patches. This can leave them vulnerable to hacking attempts. 

Unauthorized apps: Unknowingly downloading and using unauthorized applications on personal devices provides a significant threat of malware or spyware compromising company data. 

Sharing unsecured data: Sharing data using unauthorized messaging apps and personal email accounts can expose sensitive data to security risks. 

Data at rest: When an employee accesses confidential content in a BYOD environment, the data leaves the corporate network and rests on their device, even using the most advanced data protection solutions and authentication protocols.

 

The Solution for All BYOD Threats

Symmetrium’s zero trust mobile access solution has been designed to help organizations keep data protected in a BOYD environment. It works by the creation of virtual devices that reside within the organization’s own IT environment. 

When remotely accessed these virtual devices act as extensions of all organizational security and compliance policies using end-to-end encrypted streaming. The result is a completely native mobile experience with seamless deployment and management.

Corporate data is always accessed virtually using Symmetrium via the organizational network, and therefore at no time sits on the user’s actual device. The result is that data remains secure and is never put at risk.

With each mobile device acting as an on-prem laptop, it allows for full control over the data employees access and shields this data from any risks associated with the BYOD device being used to access it. 

This allows for minimum-resources BYOD mobile management via a central management console for all devices, OS and brands. All is integrated smoothly into existing security and GRC data access protocols through one single app. The result is organizations can finally be confident their data remains secure and protected at all times regardless of the device being used to access it. 

Isn’t it time you reconsidered your approach to BYOD? Book a demo with Symmetrium here.

 

close-tag

We’re proud to be the ones making TPRO, CISO, IT and vendors - happy

by ramping up zero-trust mobile access.

    or schedule a meeting