Organization Warns that Poor Governance over Geolocation can be Disastrous
In a recently released white paper, the ISACA has offered a general overview of the issues surrounding corporate and consumer privacy when it comes to mobile geolocation services. In addition, the organization has offered a simple mnemonic to consumers and employees to address privacy and safety concerns – aptly named ROUTE.
According to ISACA, geolocation services offer a wealth of benefit to the business world, earning it a popular status within the enterprise. For example, location-based data can be used to offer direct marketing and context-sensitive content delivery, monitoring of criminals, enforcing location-based access restrictions on services, cloud balancing, and fraud detection and prevention.
On the other hand, such data collection raises questions when it comes to privacy, specifically, business practices around the collection and use of the PII (personally identifying information).
“This raises several questions of concern for the user, such as how their location data are being used, with whom the data will be shared, whether there will be onward transfer of the data, and the timeline for data retention and destruction,” the white paper comments.
“The amount and the nature of individual and corporate information available to potential hackers would allow targeted attacks that are difficult to prevent, detect and manage. In addition, each user’s personal information, including race, gender, occupation, and financial history, has significant financial value. Therefore, location information is particularly of high value. Information from a GPS and geolocation tags, in combination with other personal information, can be utilized by criminals to identify an individual’s present or future location…”
Again, while all of the geolocation data collected has tremendous value, the risk that comes with the storage and collection should be a topic of concern to business leaders. This is why the ISACA is encouraging organizations to think carefully about their geo-marketing practices, to the point of considering their current privacy policies, and if they accurately reflect the collection and use of geolocation data.
“There is a growing consensus that geolocation data should be classified as sensitive due to a number of concerns such as transparency about data collection practices, solicitations made based on geolocation data obtained without the user’s consent and physical safety stemming from the misuse of information that can identify a user’s current (or future) physical location,” the ISACA notes.
For example, consider the use of geolocation data in a Phishing attack. As the whitepaper points out, “attacks to an individual’s e-mail or mobile device are targeted and are, therefore, highly effective at soliciting a response acknowledgment from the victim.”
In Phishing, all it takes is one person opening an attachment or accessing a link for the attack to work. The ISACA’s point is that geolocation data can help craft messages, which will allow an attacker to get a target’s attention with accurate and granular information.
Those with concerns, including consumers and employees within an organization, need only remember a single word to protect themselves: ROUTE
Translated, ROUTE covers the following practices:
• Read mobile app agreements to see what information you are sharing.
• Only enable geolocation when the benefits outweigh the risk.
• Understand that others can track your current and past locations.
• Think before posting tagged photos to social media sites.
• Embrace the technology, and educate yourself and others.
“We live in a mobile world and geolocation is here to stay. It brings obvious benefits both to individuals and enterprises, but if not managed properly the associated risk will be substantial,” said Ramsés Gallego, a member of ISACA’s Guidance and Practices Committee.
“It directly impacts individuals’ and enterprises’ privacy and confidentiality, and the consequences of poor governance over geolocation can be disastrous.”
The white paper is available here.
More from Steve Ragan
- Anonymous Claims Attack on IP Surveillance Firm Brickcom, Leaks Customer Data
- Workers Don’t Trust Employers with Personal Data: Survey
- Root SSH Key Compromised in Emergency Alerting Systems
- Morningstar Data Breach Impacted 184,000 Clients
- Microsoft to Patch Seven Flaws in July’s Patch Tuesday
- OpenX Addresses New Security Flaws with Latest Update
- Ubisoft Breached: Users Urged to Change Passwords
- Anonymous Targets Anti-Anonymity B2B Firm Relead.com
Latest News
- Malicious NPM, PyPI Packages Stealing User Information
- VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities
- 98% of Firms Have a Supply Chain Relationship That Has Been Breached: Analysis
- Dutch, European Hospitals ‘Hit by Pro-Russian Hackers’
- Gem Security Gets $11 Million Seed Investment for Cloud Incident Response Platform
- Ransomware Leads to Nantucket Public Schools Shutdown
- Stop, Collaborate and Listen: Disrupting Cybercrime Networks Requires Private-Public Cooperation and Information Sharing
- Boxx Insurance Raises $14.4 Million in Series B Funding
