Asset Management

Mobile Security & BYOD: Employees are a bigger threat than cybercrime

It is so much easier to fear the enemy—intentional or accidental—outside the gates than those which stand within them.

By
Nicolas
Poggi
April 12, 2018

Unfortunately, it seems that many of today's CTOs, as well as business owners themselves, do in fact feel far warier of the risky behaviors—and sometimes flat out bad intentions—within their organization than they feel regarding anonymous hackers and othercyber-criminals when it comes to mobile security.

As a matter of fact, Verizon's Mobile Security Index 2018 shows that, of companies polled,"79% said that they considered their own employees a significant threat."

CTOs definitely lose sleep about externally rootedcybercrimefrom bad actors like politically-motivated hacktivists, who somehow feel they have an ax to grind with a company. However, it is far more insomnia-inducing to worry about their own employees and how they have the ability to expose the company to the same risks as professional hackers out in the wild.

What the Research Says

Almost30% of participants in Verizon’s 2018 Mobile Security Index stated employees are the actors they are more concerned about, followed by hacktivists, criminals, state sponsored attacks and partners.

Additionally,39% of respondents whose organizations use employee-owned devices ranked them as their #1 concern. 76% ranked them in their top three.

However, the report states that, “despite broad agreement that the potential risks are serious and growing, most companies are not well prepared”.

Most respondents thought their company’s mobile security measures were somewhat effective,butonly one in seven were ready to go as far as saying they were very effective.

With a lax attitude toward mobile security measures or even a dose of malfeasance, an employee can leave a business open to the same risks that result in potentially devastating malware and ransomware attacks from professional hackers on the outside.

Numbers Don't Lie: Employees Often Compromise a Perfectly Good System of Mobile Security Measures

PWCshares that, while data breach incidents attributed to outside hackers have reduced, internal threats—including suppliers, consultants, and contractors—have stayed about the same, or they have increased.

The number now stands at about 30% when it comes to current employees who are the source of security incidents.

The Reasons That Employees Pose aCybercrime Risk Vary

It is difficult to understand why an employee would leave their company exposed to risks when their relationship is intended to be founded on a certain mutual trust.

A few possible reasons to consider include, perAdvisen:

           
  • Low company morale.
    •        
  • Ignorance of mobile security measures.
    •        
  • A moment of haste that leads to missed steps.
    •        
  • Lack of full understanding of technology policies, whether due to inattention, carelessness or incomplete training.
    •        
  • Disgruntlement over any number of possible slights, real or imagined.
    •        
  • Sometimes it all boils down to simple greed—if an employee comes across an ethically questionable opportunity, and lacks the moral character to deny it, trouble may come calling.

BYOD Blurs the Lines Between Ownership and Control

It is an attractive proposition for CTOs –as well as CFOs and CEOs– to skip the step and cost of purchasing mobile devices for employees. But, as is the case with most things that seem too good to be true, there is a downside to the BYOD revolution.

When the employee controls the device, it is simply more difficult for the CTO to enforce crucial mobile security measures, such as ensuring anti-virus protection and data encryption or making sure that necessary patches and updates are applied in a timely manner.

Additional risky or concerning behaviors that employees engage in when it comes to BYOD—or even on company-owned devices that employees keep with them 24/7—include:

           
  • Downloading mobile apps
    •        
  • Visiting questionable websites; at least in terms of company policy
    •        
  • Using the company's networks in improper contexts

What Are CTOs Missing When It Comes to Employee Risk and Mobile Protection?

There are some factors that CTOs and their companies cannot really control, such as a person's choice to perform an intentionally illegal activity. But there are other aspects that CTOs can catch up with in order to course correct:

           
  • Most employees don't know that the company has a mobile security policy.
    •        
  • Even if aware, employees don't usually know the specifics of this security policy.

Additionally, most employee respondents shared that they received some type of mobile technology policy training, along with a written policy, as part of their onboarding experience or upon receipt of a company-purchased device, but that was as far as it went.

All of these issues are manageable and correctable. What's more, their solutions can go a long way towards improving employee mobile security awareness and protecting business interests with more knowledge and personal investment.

It Comes Down to...

Creating a Mobile Technology Policy That Employees Understand and Help Maintain

One of the best things that a CTO can do to improve employee adoption of strong mobile security practices is to regularly reinforce how serious the matter is to employees. It sounds simple enoughbecauseit actually is pretty simple.

As long as companies have developed a strong mobile security policy and consistently communicate its value to their team, the business is on track to getting employees fully on board to help maintain strong mobile security practices.

Adopting a Unifying Solution to Simplify Mobile Application Management

In addition to encouraging employees to become a part of the mobile security solution, companies that adopt an automated readiness solution can quickly detect risk-laden mobile apps to minimize possible malware exposure and damage.

The emerging technology that provides this option is known asmobile application management, and it gives IT the ability to adjust security settings for each user or application.This solution is also a great way to let CTOsget a good night's rest again.

Awareness is your greatest ally when it comes to regulating user-generated risk, keep your team informed and up to speed at all times!

About the author
Nicolas
Poggi

Nicolas Poggi is the head of mobile research at Prey, Inc., provider of the open source Prey Anti-Theft software protecting eight million mobile devices. Nic’s work explores technology innovations within the mobile marketplace, and their impact upon security. Nic also serves as Prey’s communications manager, overseeing the company’s brand and content creation. Nic is a technology and contemporary culture journalist and author, and before joining Prey held positions as head of indie coverage at TheGameFanatics, and as FM radio host and interviewer at IndieAir.

On the same issue

The future of device lifecycle management in K-12 schools

The world of K-12 education is evolving rapidly, especially in the post-pandemic, remote-forward world. Technology plays an increasingly pivotal role in learning.

January 19, 2024
keep reading
Technology needs assessment for schools

Learn how to perform a technology needs assessment for your K–12 institution. Make a plan for proper device management for your school.

December 20, 2023
keep reading
A guide to K-12 device lifecycle management

Discover how K-12 institutions can improve device lifecycle management to transform the use of technology and enhance the learning process.

December 16, 2023
keep reading
Device security and cyber security in K-12: tips for IT teams

Boost device security and cyber security in k-12 schools using IT best practices, tools, and strategies to ensure a safe digital learning space.

December 16, 2023
keep reading