The survey, conducted amongst 250 senior executives in both medium and large organisations showed that despite regularly discussing financial information (78%), employee data (66%), as well as IP (51%) and commercial secrets (50%), the majority of these conversations are unprotected despite over 80% of respondents believing mobile phones to be as vulnerable, if not more so, than e-mail communications if leaked. Of those who admitted to regularly discussing sensitive information, 80% believed, if leaked, this information would have a major impact on the organisation.
In addition to other interception methods such as man in the middle scams and on-device taps, the threat of mobile voice interception has intensified recently with the cracking of encryption on GSM mobile phone calls. In December, the Chaos Computer released the GSM Codebook, a large lookup table of pre-generated GSM encryption keys which allows hackers to rapidly crack A5/1 – the encryption standard for GSM mobile phone call security. Just two weeks later, leading cryptographer Adi Shamir, published a white paper detailing a practical method for cracking the next generation of encryption standard, A5/3, in less than two hours.
“The inherent insecurities of GSM encryption have been well publicised, even though most governments and enterprises have been aware of this threat for a while,” said Simon Bransfield-Garth, CEO Cellcrypt. “However, this research shows there is still confusion out there about whom, when and how people should be protected from this threat. Organisations need to start taking serious steps to consider coherent security strategies that protect multiple weak spots against attack. This work needs to start sooner rather than later as standard GSM encryption becomes unreliable and open to easier interception within the next six months.”
Despite 92% of respondents considering it the organisation’s duty to provide employees with mechanisms to protect information or their own personal safety when travelling to high-risk areas, several admitted confusion over who was responsible, with Heads of IT, Security, Networking and Operations all being assigned responsibility**.
“Despite sometimes being viewed as something for the movies, crimes such as corporate espionage, kidnap for ransom and extortion by organised criminals can and do happen,” commented Stuart Quick, Operations Manager at Henderson Risk Limited. “Mobile voice interception is one way in which these crimes can be facilitated. The increasing interception risk underlines the need for organisations to adopt a robust approach to securing these calls, especially when the senior managers in departments such as finance and legal are prime targets.”
*When asked whether senior managers in key departments use voice call encryption solutions for mobile phone voice calls, the survey found that just 13.5% of financial, 17.1% of legal and 18.3% of research and development departments had solutions deployed
**When asked who in their organisation is responsible for ensuring the security/preventing the interception of voice calls, 53% responded the Head of IT, 21% responded security, 7% responded Networking and 6% responded operations