BYOD (bring your own device) threats are still often overlooked by businesses. Many small-business owners believe BYOD poses no threat to their company and have no interest in spending effort on mobile device security, while employees themselves think security is the responsibility of the business, a study by Kaspersky Lab has found.
With the study showing that two-thirds (62%) of business owners and employees worldwide now use personal mobile devices for work, BYOD is no longer a developing trend, but a widely accepted business practice. It affects companies of all sizes, from the very large (more than 5000 employees) to the small ones (fewer than 25 employees).
However, attitudes towards protecting data on mobile devices are far from an ideal security approach. The consumer security risks survey by Kaspersky Lab found that six in 10 (60% of respondents) are concerned about the threat of surveillance and information theft via mobile devices, but they do not actively protect themselves and rely on their employers to do so.
Meanwhile employees often store work files on their personal notebooks, tablets and smartphones, keep work-related email messages and sometimes even have passwords to work email accounts and to corporate networks or VPNs on them.
As for employers and small-business owners, a third (32%) see absolutely no danger in staff using personal mobile devices for work. The risk of data theft from an employee’s mobile device is not a pressing concern for them, so they do not pay much attention to it. However, representatives of larger businesses are more concerned about employees losing their mobile devices: 58% fear that the theft or loss of a device could damage the company.
This kind of attitude – on the part of both device owners and their bosses – opens up a serious vulnerability for a corporate network. This weakness can potentially be exploited by cybercriminals as well as by unscrupulous competitors. There is always a chance of suffering financial losses (for example, from a loss of client base), even if the general feeling is that a lost mobile device cannot cause any damage to the company. Protection of the mobile environment is becoming a critical component of security.
“It is increasingly rare to come across a business professional who doesn’t use their own mobile device for work. A laptop, tablet or smartphone enables you to do a large part of your business tasks remotely, from any global location.
“However, the loss of important corporate data via personal devices is a common occurrence, and a negligent attitude towards the security of mobile devices could pose a serious risk to a company’s business. That is why it is important to use a reliable dedicated solution that addresses all modern requirements and market trends, as well as to educate employees on possible threats and actions they should take in case they face them,” says Konstantin Voronkov, head of Endpoint Product Management at Kaspersky Lab.
Among the first steps organisations should plan to securely implement BYOD are: to evaluate the use of personal devices for work and choose a cyber-security solution, that would effectively protect them from malware and other cyber threats, as well as allow easy management through a single console.
An important step should be also to educate staff, for example not to trust social engineering tricks (such as a fake phone call from a bank or police asking to name the figures in the recently received SMS – which can be a real one-time password for a bank account, Apple or Google ID), check QR codes (which can lead to phishing web pages, for example if a fake image is glued over a real QR code), report mobile device loss as soon as possible.
The organisation should have thoroughly developed scenarios about removing personal devices from the corporate network if they are lost or stolen, or if an employee leaves the company. In these cases a procedure should be developed beforehand to remove confidential corporate data from these devices, and corporate network access is blocked from them.