Community

Find answers, ask experts and talk with the procurement community

Tools

Do you want to deliver savings faster, reduce risks and transform functional performance?

Industry-leading events

Inspirational thinkers and innovators share their vision, providing unique opportunities to network and share best practice

Upcoming events

Data, Intelligence & TechX Forum

Executive Briefing: 27 November, 2017

Forum: 28-29 November, 2017

The Crystal, London

DITX 2017 is Europe’s ONLY event specifically designed for procurement professionals wanting to capitalise on a whole new set of digital opportunities that disrupt yet provide new transformative, value adding capabilities for procurement.

5th Annual World Procurement Congress London

Executive Briefings - 15 May, 2018
Congress - 16-17 May, 2018

World Procurement Congress organised by Procurement Leaders is the undisputed leader in the field, featuring cutting-edge content and real life case studies from inspiring speakers.

Resources

My Profile

Tackling data security on the move

shutterstock_581487460

Almost one-third (31%) of travel buyers reported increasing concerns of threats to data privacy and security among colleagues who frequently travel, according to research conducted by the Association of Corporate Travel Executives and Global Business Travel.

 

Recent cyberattacks, including the high-profile ransomware attack that affected the UK’s National Health Service (NHS), have placed the integrity of corporate security measures and the risks posed to those people travelling for work firmly under the spotlight.

The primary objective of communication security is the preservation of the following requirements:

  • Confidentiality – only authorised staff are allowed to see or use the data communicated.
  • Integrity – the data is not changed during communication and cannot be modified by an unauthorised person.
  • Availability – there is sufficient bandwidth and enough time for authorised staff to access the data.

There are seven categories of threats, according to the US National Institute of Standards and Technology, which can prevent these requirements being met:

  • Denial of service: an attacker prevents the normal use or management of networks/network devices. This affects availability for authorised staff.
  • Eavesdropping: - by passively monitoring network communications for data, including authentication credentials, attackers can compromise the confidentiality of communications.
  • Man-in-the-Middle (MITM): communications between two legitimate parties are intercepted by an attacker, who thereby obtains authentication credentials and data and can then masquerade as a legitimate party. This is a risk to both the confidentiality and the integrity of the network.
  • Masquerading: the attacker impersonates an authorised user and gains unauthorised access to data, affecting the integrity of communications.
  • Message modification: the integrity of the network is threatened when an attacker alters a legitimate message by deleting, adding to, changing or reordering it.
  • Message replay: an attacker passively monitors transmissions and retransmits messages, acting as if the attacker were a legitimate user, threatening the integrity of the site.
  • Traffic analysis: confidentiality is compromised when an attacker passively monitors transmissions to identify communication patterns and participants.

There are several techniques available to IT system designers to help them ensure their internal systems are protected. One of these is to ensure that secure protocols are implemented on all channels used to communicate with the system. We are probably all familiar with the lock symbol and "https" that replaces the "http" in the address box on our browser when purchasing goods online. What many will not know is that indicates that a security protocol is being used on the communications channel between you and the web server.

 

This security, or cryptographic, protocol should carry out, at a minimum, the following functions:

  • key agreement or establishment;
  • entity authentication;
  • symmetric encryption and message authentication; and
  • secured application-level data transport.

The most commonly used secure protocols use asymmetric cryptography for authentication of key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.

 

When thinking about how your employees stay connected while travelling abroad, your chosen solution should use encryption methods associated with wireless networks and mobile data. If procuring global roaming devices, they should piggyback on best practice in the telecommunications and internet industries, which would give little or no exposure to a hacker to get access an employee’s device and expose sensitive corporate data.

 

Importantly, a would-be hacker would have difficulty knowing where to start if there are no publicly available administrative interfaces to the back-end systems and no user interface to the roaming device itself.

 

Brendan McKenna is CTO of Uni-Fi Global. Uni-Fi Global provides roaming devices enabling secure, 4G connectivity at local rates worldwide

 

This contributed article has been written by a guest writer at the invitation of Procurement Leaders. Procurement Leaders received no payment directly connected with the publishing of this content.

Brendan McKenna
Posted by Brendan McKenna