Do you know how your enterprise apps store and interact with your data?
After the WannaCry ransomware attack we’ve shared how you can protect your corporate data and your network from such attacks.
But, this is not your only threat.
Every company uses different apps depending on their needs. Most of them require not just interaction with an internal database, but an external one to. Which means that the apps take your data through your corporate firewall, over the internet and store it somewhere in a database.
So, even if you secure everything in your own network and educate your employees about phishing and malware threats, what happens outside of your network is beyond your control.
HospitalGown: The Backend Exposure Putting Enterprise Data at Risk
What the security experts at Appthority found out and documented in their report was that
had been left exposed
According to their research “Apps with the HospitalGown vulnerability pose a direct risk to enterprises, opening them to an easy breach, exfiltration of sensitive data, and the costs from remediation, lawsuits, compliance infractions and loss of brand trust.”
What Seth Hardy, Director, Security Research at Appthority said was: “The HospitalGown vulnerability isn’t just theoretical, hundreds of apps are leaking terabytes of data, all due to simple human error – failure to secure the backend data stores. We recommend that, where possible, enterprises refrain from using apps that access or send sensitive information, particularly if the data is not encrypted in transit and at rest.”
Every new mobile app that uses a back-end platform for data storage or analysis is a potential source of risk in case the data is not encrypted during transit or while stored in databases. This threat is in the backend infrastructure of the mobile application and because of the data exposure being at the administrative root level, the entire data is exposed to theft.
These apps leaked some form of PII, including passwords, location, travel and payment details, corporate profile data (including employees’ VPN PINs, emails, phone numbers), and retail customer data. This makes the data open to unauthorized access and spear phishing or brute force authentication attacks on these customer organizations.
What to do?
To improve your enterprise’s security related to this kind of vulnerability, Appthority as Mobile security experts suggest:
- Only keep the Apps you use so that you know which ones have access to your data. Remove every app that you don’t use in your network so that you discontinue them from storing or accessing sensitive data. And, this not only refers to employee devices apps, but to enterprise apps available via enterprise app stores.
- Review your apps and compare them with the Appthority findings. If you have to use some of the apps, request for data encryption so that it is transferred and stored securely.
- Request an official document about where your data is stored and get it secured following best practices for the backend platform. Request that they limit the amount of personal information or site credentials stored on backend databases to the minimum needed for app functionality, and protect the data via encryption.
Secure Swiss Data was established to keep your communications encrypted
Secure Swiss Data with the fully encrypted email and data services, encrypts your data starting from your side, then keeps it encrypted on our servers and sends it encrypted to the end recipient so there is no possibility your private or corporate data can be exposed.
The amount of personal information we store on our servers is limited to minimum and is always protected with encryption. Because your information on our servers in encrypted even we can’t read them.