The use of mobile technology is continuing to rise, especially in emerging markets. India is expected to have about 185 million people accessing the Internet through mobile devices as of April 2014, up from about 110 million at the end of October 2013. In addition, Brazil was named by IDC as one of the top five markets for smartphone shipments in the world. Between 2013 and 2017, the company predicts Brazil's market growth will be 129%.
As trends such as machine-to-machine (M2M) connectivity, smart devices, social networks and cloud migration progress, there is a growing concern around the compromise of privacy and data security. Even government and commercial organizations are threatened by sophisticated intrusion tactics.
In emerging markets like Brazil, there is a high conversion ratio from poor to middle class that has added to the consumption of technology, primarily internet access through smartphones. Online channels have grown due to this new population; however, there is a lack of security best practice awareness and little government enforcement of security policies on institutions due to lack of budget. This has resulted in more hackers taking advantages of the ‘newbies’ by launching many phishing attacks. One example of this is Banco Do Brasil's phishing attack, which resulted in five million customers being able to see other customers’ private information, such as balances and banking statements. The security incident was caused by inconsistency and intermittence of customer information while updating the bank’s mobile application. Instances like this have landed Brazil as one of the countries with the highest malware site rates in the world. Other countries on this list are South Korea and Turkey.
Even with the high threat of malware, the Brazilian population continues to use smartphones and computers for banking and e-commerce sites, with little to no security knowledge or protection built into their devices. To improve security at the different levels and increase information security, three changes need to occur.
General Population Awareness of Security Best Practice
Many of us share our personal information online without taking into account how it is managed or what policies govern its use. From social networking to cloud computing to e-banking, our online footprint is there for anyone to access.
Currently, there is a lack of technology's evangelization and awareness, which leaves consumers and businesses open to security attacks. There needs to be a general population awareness of security best practices. We need to educate populations in emerging markets on how to add security software to their mobile devices, PCs and laptops and what security symbols they need to be aware of when logging into their bank accounts or making a purchase on an e-commerce site. Knowing what to look for and how to protect yourself is one of the best ways to deter threats.
On the other end of the spectrum, companies providing the mobile devices, social network or e-commerce site need to include basic security considerations in their products and/or services, such as privacy, authenticity, integrity, and non-repudiation. Although industry standards and regulations require companies to address these security issues, there are still large gaps in ‘security consciousness’ that need to be realized during product conception and development.
Stronger Government Policies Help Avoid Security Breaches
In Brazil and South America in general, there are lower overall government budgets, which result in minimal security awareness initiatives for its population. In addition, low budgets also mean little security-related standards and regulation/enforcement of finance institutions and other organizations, as well as little security knowledge among those drafting and enforcing the policies. It is an endless cycle of not enough knowledge and not enough security.
If government budgets were increased and spending was dedicated to security awareness, the countries on the high malware list (determined by the number of computers reporting detections and removals by Microsoft desktop anti-malware tools) could improve security on many different levels. Companies, governmental bodies, finance institutions and other organizations could not only avoid costly security breaches, but can properly decide how to address threats in real-time.
Incorporating Product Security Helps Deter Threats
Currently, there is a lack of security awareness and implementation in mobile devices, social networks, banking and e-commerce sites to name a few. However, by incorporating secure product development as an aspect of product quality and having an organizational commitment to digital defense, products themselves will meet the required levels of security helping to deter the threats mitigating phishing and malware attacks.
That said, it is also critical to ensure that the personnel involved in development have adequate professional knowledge to ensure that basic security considerations are incorporated.
With the global increase in the use of smart devices, and as M2M connectivity, social networks and cloud migration continue to progress, we will not only see the demand for security-related products in emerging markets rise, but commercial and enterprise products will themselves need to be designed with security as an important consideration. By incorporating an added layer of security in a mobile device or website, companies will help emerging markets like Brazil and Turkey lower their malware site rates and increase their products’ value and preference within these countries.
Juan Manuel Caracoche is CTO, Latin America, for GlobalLogic and serves as a Professor of Cryptography and Information Security at Universidad de Buenos Aires in Buenos Aires, Argentina. He also proposed a security improvement to the OLSR protocol for mobile networks in his book Secure Mobile Networks in Urban Environments. He is a technology fan, passionate mountaineering lover and hobbyist photographer.
Tzvi Kasten is GlobalLogic’s associate VP of Business Development and leads the company’s Security Practice Organization. Kasten has a rich background in the development of embedded systems and management of multimedia, communications and network software projects. He has held the position of CTO at InterObject until it was acquired by GlobalLogic. Kasten previously served as R&D director at VCON, where he managed the development of the company's PC-based video conferencing product line as well as all IP-based technologies. Prior to that he worked as a senior team leader with Telrad Networks, where he managed development telecom products for Nortel Networks. Kasten holds a BSc (with honors) in applied computer science and technology from the Jerusalem College of Technology in Israel.