Community

Find answers, ask experts and talk with the procurement community

Tools

Do you want to deliver savings faster, reduce risks and transform functional performance?

Industry leading events

Inspirational leading procurement thinkers and innovators, providing unique opportunities to network and share best practice.

Upcoming events

7th Annual East Coast Forum

September, 2018

 

Join procurement innovators from across the Americas to debate hot topics and develop innovative strategies and practical solutions, enabling you to transform every facet of your procurement function.

Plus, executive briefings offering optional tailored content for Senior Financial Services & Marketing Procurement professionals.

12th Annual Europe Forum

Executive Briefing: 4 October, 2017

Forum: 5-6 October, 2017

Beurs van Berlage, Amsterdam

Join the annual procurement community gathering for EU procurement professionals centred on business alignment and category leadership.

Resources

My Profile

Tackling data security on the move

shutterstock_581487460

Almost one-third (31%) of travel buyers reported increasing concerns of threats to data privacy and security among colleagues who frequently travel, according to research conducted by the Association of Corporate Travel Executives and Global Business Travel.

 

Recent cyberattacks, including the high-profile ransomware attack that affected the UK’s National Health Service (NHS), have placed the integrity of corporate security measures and the risks posed to those people travelling for work firmly under the spotlight.

The primary objective of communication security is the preservation of the following requirements:

  • Confidentiality – only authorised staff are allowed to see or use the data communicated.
  • Integrity – the data is not changed during communication and cannot be modified by an unauthorised person.
  • Availability – there is sufficient bandwidth and enough time for authorised staff to access the data.

There are seven categories of threats, according to the US National Institute of Standards and Technology, which can prevent these requirements being met:

  • Denial of service: an attacker prevents the normal use or management of networks/network devices. This affects availability for authorised staff.
  • Eavesdropping: - by passively monitoring network communications for data, including authentication credentials, attackers can compromise the confidentiality of communications.
  • Man-in-the-Middle (MITM): communications between two legitimate parties are intercepted by an attacker, who thereby obtains authentication credentials and data and can then masquerade as a legitimate party. This is a risk to both the confidentiality and the integrity of the network.
  • Masquerading: the attacker impersonates an authorised user and gains unauthorised access to data, affecting the integrity of communications.
  • Message modification: the integrity of the network is threatened when an attacker alters a legitimate message by deleting, adding to, changing or reordering it.
  • Message replay: an attacker passively monitors transmissions and retransmits messages, acting as if the attacker were a legitimate user, threatening the integrity of the site.
  • Traffic analysis: confidentiality is compromised when an attacker passively monitors transmissions to identify communication patterns and participants.

There are several techniques available to IT system designers to help them ensure their internal systems are protected. One of these is to ensure that secure protocols are implemented on all channels used to communicate with the system. We are probably all familiar with the lock symbol and "https" that replaces the "http" in the address box on our browser when purchasing goods online. What many will not know is that indicates that a security protocol is being used on the communications channel between you and the web server.

 

This security, or cryptographic, protocol should carry out, at a minimum, the following functions:

  • key agreement or establishment;
  • entity authentication;
  • symmetric encryption and message authentication; and
  • secured application-level data transport.

The most commonly used secure protocols use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.

 

When thinking about how your employees stay connected while travelling abroad, your chosen solution should use encryption methods associated with wireless networks and mobile data. If procuring global roaming devices, they should piggyback on best practice in the telecommunications and internet industries, which would give little or no exposure to a hacker to get access an employee’s device and expose sensitive corporate data.

 

Importantly, a would-be hacker would have difficulty knowing where to start if there are no publicly available administrative interfaces to the back-end systems and no user interface to the roaming device itself.

 

Brendan McKenna is CTO of Uni-Fi Global. Uni-Fi Global provides roaming devices enabling secure, 4G connectivity at local rates worldwide

 

This contributed article has been written by a guest writer at the invitation of Procurement Leaders. Procurement Leaders received no payment directly connected with the publishing of this content.

Brendan McKenna
Posted by Brendan McKenna

BLOG NAVIGATION