How Secure is Your Business Data on Your Employees' Personal Smartphones?

Business Data

Si-lwli, a small family-run business in Wales, is arguably as niche a company as you can get. It makes toys, specifically talking toys that are used to promote the Welsh language. The market is small, with only some 300,000 Welsh language speakers in the world. You can probably gather that the goals and profits of Si-lwli are quite modest. In fact, the business is really more of a hobby for the husband-and-wife team, who both still have day jobs.

Yet, despite this passion project being successful in terms of sales, the business is fighting for survival after recently falling prey to cybercriminals. Emails between the business and Chinese factory suppliers were intercepted by hackers who altered the banking details in the correspondence, causing Si-Iwli to hand over £18,000 (almost $23,000) to the thieves. A loss of $23,000 might not sound like much to a large enterprise, but to a small or medium business (SMB), it can be devastating.

This story, unfortunately, is not a one-off. While many people assume that hacking and cybercrime affects only big businesses and governments, they are wrong.

Consider another recent SMB hacking story that appeared in the Wall Street Journal. It concerned Innovative Higher Ed Consulting (IHED) Inc, a small New York startup with only a handful of employees. IHED didn’t even have a website, but fraudsters were able to run stolen credit card numbers through the company’s payment system and reverse the charges to the tune of $27,000. As the WSJ put it, the hackers completely destroyed the company, with its owners having to give up on their startup and move on to new projects.

Of course, hackers target governments or business giants like Google and Amazon, but small and medium businesses are certainly not immune. In fact, 67% of SMBs reported that they had experienced a cyberattack across a period of 12 months, according to a 2018 survey carried out by security research firm Ponemon Institute. Additionally, Verizon issued a report in May 2019 that small businesses accounted for 43% of its reported data breaches.

Smartphone cyberattacks and use for work both rising

Once seen as less vulnerable than PCs, smartphone attacks are on the rise, with movements like the Dark Caracal spyware campaign really underlining the allure of mobile devices to hackers. Last year, the Federal Trade Commission released a statement calling for greater education on mobile security, coming at a time when around 42% of all Android devices are said to not carry the latest security updates.

We are now entering an era when employees increasingly use their smartphones for work-related purposes. A 2016 study of global business trends, the Steelcase Global Report, showed that 26% of US companies provide employees with mobile phones, and another study by Syntonic said that 87% of companies expect their employees to use their personal devices for work-related activities. Going by smartphone trends, that number is likely to be much higher today.

The relevant question, then, is also a simple one: Are businesses –of all sizes –doing enough to protect against data breaches on their employees’ phones? The SME Cyber Crime Survey 2018 carried out for risk management specialistsAON showed that more than 80% of small businesses did not see a threat from cyberattacksor data breaches. Yet, as mentioned above, 67% of SMBs were said to have been victims of hacking. Either the numbers don’t add up or business owners are underestimating the threat from cyberattacks. A report released in 2019 by professional services firm PricewaterhouseCoopers suggests the latter, by stating that the majority of global businesses are unprepared for cyberattacks.

In the second chapter, we are going to look at the causes of hacking, with specific reference to how employees’ use of devices can be a risk. In addition, we are also going to provide some useful tips to keep your business safe.

Why employees' devices are a business risk

It’s hard to imagine any business organization that does not use a computer of some kind, whether PCs, smartphones or tablets. For many, if not most, organizations, it’s all three, and while the devices are utilized to boost productivity and to do the actual business of the organization, employees’ and employers’actions can leave a business vulnerable to attacks. Following are some of the common areas where employees’ actions and, indeed, employers’actions, can leave a business at risk.

Passwords and Verification

Using the same password on many accounts

So many of us do it –use the same‘memorable’ password for email, social media, retail accounts –is it possible we also use them for our work accounts? It seems only natural that employees who use memorable passwords for personal accounts might use the same passwords for work.In fact, the 2018 Verizon Data Breach Investigations Report stated that 70% of employees reuse passwords. If hackers get access to your employees’ personal passwords, it’s not a great stretch to assume the cybercriminals can use that information to get into their work accounts–and access your sensitive datasets.

Choosing weak passwords

It’s common knowledge that using weak passwords –123456, password, your name, your favorite sports team –is an open invitation to hackers, but the recent Verizon research shows these unsecure passwords are the cause of over 80% of all data breaches at companies.

Lack of a company passwords policy

As per the above, it’s smart practice to implement password policies. However, a 2017 study by OneLogin found that while IT organizations had guidelines around password complexity, nearly half neglected to require employees to follow up on those guidelines.

Not instituting two-step verification

It’s human nature to forget passwords especially when logging into rarely used applications, so some applications have instituted two-step verification (sometimes called two-factor authentication or 2FA) to make access more secure. The White House even led a campaign to inform businesses and consumers about 2FA.

Workstations and Smartphones

A workstation no longer means a desk in an office: It’s a smartphone being used in the back of an Uber car; a laptop in a coffee shop, or a tablet in an airport lounge.

Employees can install anything on their workstation

Wherever that workstation is situated, employees can potentially install applications that could be harmful to your business. And this doesn’t have to be something major or done on purpose, but rather something as seemingly insignificant as through-clicking an accidental download or opening a link on a phishing email.

Mixing private activities with work

Employees use their work phones and computers for personal use, that’s a fact. Yet, the reverse is also true, as employees can use their smartphones and computers at home for work as well. Doing either can potentially expose an organization’s sensitive data to a breach. Social media is the most common distraction in the workplace. However, while social media sites might seem safe, consider that at one stage in its existence, Facebook was said to be experiencing 600,000 hacks per day.

No mainframe control

If your employee is using a smartphone for work, it might be the case that a certain level of mainframe control is lost, or perhaps there is no control at all. In short, your employees’ work activities might not have the same protections as they would when your team is sitting at a desk on a company-monitored PC.

Using unsecured public Wi-Fi

Many businesses not only encourage their employees to work remotely, but assume working from coffee shops, bookstores, and airports may boost productivity of the employee and the team. Unfortunately, though, many remote hot spots do not provide secure Wi-Fi. If your employee is accessing their work account on unsecured public Wi-Fi, the sensitive data of your business could be at risk.

Lost/stolen phones

If your employee uses a company smartphone, or simply has access to company data through a personal mobile device, there is always a chance your data could be in jeopardy with a lost or stolen device. Even information on those devices as basic to a telephone as clients’ addresses and phone numbers could put your company in peril.

The Human Element

While it can be assumed (and hoped for as well) that most businesses value and trust their employees, so too can it be understood that employees will not care about the security of the business as much as the owner does. As we discussed above, almost half of all business data breaches can be traced back to carelessness from employees. This isn’t to suggest malpractice or intent, but just an almost indefinable level of inattentiveness. Thankfully, there are solutions (listed in the next section) that can protect your business data from employees who do not apply the same level of diligence as you do.

Cyberattack threats that can affect your business

If employees are lax in their treatment of your company’s passwords, software and hardware(smartphones, tablets, computers), they open your business to the following types of threats:

Malware

Sometimes used interchangeably as a term for virus, malware is designed to harm and infect the host system, i.e. a smartphone, computer program or computer network. Usually, malware and other viruses are transmitted to smartphones when downloading malicious third-party apps, but they can come in other, seemingly innocuous forms, like XLSX, DOCX or PDF documents. The average cost to an organization experiencing a malware attack is estimated to be around $2.4 million.

Ransomware

A type of malware but one that is used by hackers to specifically take control of a system’s data, blocking access or threatening to release sensitive information unless a ransom is paid. Ransomware attacks are predicted to increase, and by the end of 2019, they are expected to occur every 14 seconds. Estimates of the cost of damages vary, but it’s generally accepted to cost billions of dollars per year.

Cybercriminals and hackers

Hackers employ sophisticated malware and ransomware to get access to a company’s private data.

Phishing

Phishing is the attempt by cybercriminals to obtain sensitive data –usernames, passwords, credit card details –usually through a phony email that has been designed to look legitimate. It could direct your employees to a fraudulent website or ask for the data to be emailed back directly. Most of us like to think we could recognize a phishing email when we see it, but these emails have become more sophisticated and can come through other forms of communication, like messaging apps.

Solutions you can use to protect your data

It’s easy to feel overwhelmed and helpless when facing the risk of cyberattacks, but you aren't powerless. Stopping cybercrime that impacts your data on your employees’ devices is crucial to combat the threat. To effectively halt hacking, phishing, ransomware and the like takes a combination of the following techniques.

Education and training of employees (and employers)

Do your employees know that they should choose a VPN (virtual private network) for Wi-Fi before logging in via unsecured public Wi-Fi, especially if their smartphones hold sensitive company datasets? Is there a company policy on password security with respect to overall security? Does that policy take into consideration potentially disgruntled former employees? There are many areas to cover, but above all,a culture of ‘respecting’the risks posed by cyberattacks to a business must be fostered from the top downwards. That could mean anything from enforcing rules to offering regular training seminars on security, and even simulating a hack so employees understand the impact their actions can cause.

There are various ways in which your organization's data security procedures can be taught to employees, but, in terms of delivery of that message, creating consistent company security policies and helping employees understand why they are being implemented is often seen as paramount. Employees will respond better to–and learn more with –consistent practices, and they are more likely to, for example, carry out a security update on a company device if they know why it is important.

Securing severs and end user devices

There are several steps you can take to secure servers, including: installing firewalls, which can help you manage access to your software; using SSH(Secure Shell) keys, which can be used to authenticate your access to a server (basically, it’s an alternative to password-based logins); and performing service auditing, i.e. testing the security features running on your server.

An End User Device (EUD) is essentially the piece of equipment –laptop, tablet, smartphone –that your employee (the end user) uses to complete their tasks. Securing it simply means following some of the advice laid out above –strong passwords, updated software, ensure Wi-Fi is secure, and so on. But often overlooked are simple things, such as remembering to log out or remembering to turn off autofill after using a shared device. Obviously, securing a device also means using the latest software security solutions too.

Buying and using security software

While having strong data security policies is important, securing your business with the latest cyber security solutions is perhaps the most integral policy of all. For example, the ZoneAlarm Mobile Security App could protect your employees’ smartphones against a range of outside threats, including the downloading of malware. With ZoneAlarm’s security installed, they can even use public Wi-Fi hot spots with confidence.

Mobile security solutions can ensure multi-level protection. If, for example, a smartphone containing sensitive data has been lost by an employee, there are tools available that allow administrators to wipe corporate data remotely. Having these so-called wipe functions is crucial if your employees have data sensitive to your business on their smartphones.

Anti-ransomware and anti-malware software should, of course, be installed on all devices –computers and smartphones –used for business. The famous WannaCry ransomware attack of 2017 was not a one-off event, and both ransomware and malware attacks are becoming more sophisticated.

In May 2019, the city of Baltimore’s computer system was hit by a ransomware attack, with hackers using a variant called RobinHood. The hack, which has lasted more than a month and is still on-going at the time of writing, paralysed the computer system for city employees, with the hackers demanding a payment in Bitcoin (an increasingly popular demand for hackers) to give access back to the city. It’s a stark reminder that cybercriminals are still a constant threat.

Conclusion

Smartphones in the workplace are regarded with differing opinions, with conflicting reports on whether they boost productivity or cause slackness. When it comes to security, however, it’s irrelevant. What’s important is that smartphones are in the workplace. With the lines increasingly blurred between how we work and where we work, mobile security and protecting your business data are of the utmost importance.

Glossary

Phishing

A play on the word ‘fishing’, phishing also tries to lure the unsuspecting to take a bite. It is the process of attempting to fraudulently acquire sensitive data, such as passwords and credit card numbers. Phishing is often attempted with bogus emails, but it can also be done through messaging apps.

Virus

A virus, or more specifically a computer virus, is malicious software that is designed to spread and modify computer programs. Viruses can be used with the specific goal of causing damage to the computer system or to allow hackers to take control of a system.

Malware

Malware –effectively malicious software –is an umbrella term for software that is designed to damage or disrupt a computer. Specific types of malware include spyware, trojan horses, and worms.

Ransomware

A type of malware, ransomware is a software virus that uses encryption to lock a user out of their system. It is used to extort money out of companies and individuals, with those behind the attack only giving access back (if at all) once a ransom has been paid.

Cyberattack

Any type of offensive action that is designed to unlawfully take control of files, a device, computer system, network, or server, etc. A cyberattack can be a single targeted action against a device, or an attempt to bring down the infrastructure of an organization or government.

Firewall

A firewall is a network security system that is designed to control the flow of data through a computer network. The idea is that the firewall will filter out non-trusted data when passing from one network to another.

Zero-day

A Zero-day vulnerability is a computer software flaw that is unknown to the software’s creators and leaves that software open to exploitation from hackers. This method of targeted hacking is called a Zero-day exploit.

Mobile Security

Mobile security, or mobile device security, is a broad field of security in mobile computing covering passwords, software, hardware, encryption, and so on. It has taken on a greater significance in light of the increasing amount of business and personal financial data now stored on smartphones.