As our reliance on digital technology continues to grow, so does the threat from scammers, hackers and cybercriminals. Yet we have become so used to the benefits of tech making our lives easier that we can get complacent and careless about the risks.
The growth of mobile use in business has left many companies even more vulnerable to attacks, particularly due to the rise of bring-your-own-device (BYOD) culture and an increase in remote working.
With the average cost of a data breach in 2020 coming in at $3.86 million, it’s vital to protect your organization. It’s no longer enough to invest in security solutions – you also need to provide comprehensive training to all employees. This means anyone using their mobile for work is educated about potential risks and better-placed to spot any vulnerabilities.
While your security protocols have to be efficient, it also helps if they are easy to understand. If something is hard to follow and cuts into productivity, it is less likely to become a seamless part of everyday work.
Here are 5 key things to remember when providing mobile security training.
1. Mobile security should be part of the culture
The main aim of any training program is to change the company’s culture. In this case, every employee should learn to take the threats seriously. Protection should feel like everyone’s responsibility, not just the IT department.
And this really means everyone – lower level employees need to see that those in higher positions are setting an example by following the protocols.
96% of phishing still happens via email, but employees should also be trained to recognize threats from other sources. Phishing via SMS (known as “smishing”) and voicemail (“vishing”) are high priorities for current attackers, and it’s smart to raise awareness of the risks.
Train employees to look at the company’s current security from an attacker’s point of view – what gaps might they see and take advantage of? Which technology is most at risk? For example, you could run test scenarios with your IVR (interactive voice response) system or online booking software and learn the warning signs to look out for.
As well as staying alert to potential threats, employees should get into the habit of reporting any concerns immediately to your IT department, even if they seem insignificant. Aim to develop a culture where employees take personal responsibility and look out for one another – the managers shouldn’t have to watch them at every moment.
2. The biggest threat comes from BYOD
Over the past few years, the practice of employees bringing their own devices to work (BYOD) has added a whole new level of threat. While your IT department used to only be responsible for organization-owned devices, they now need to be aware of additional systems.
Employees will use them at home for remote or out-of-hours working, meaning you can’t just rely on monitoring in-office behavior. Combined with the increased likelihood of personal use, this can make threats much harder to detect.
If staff are downloading non-work-approved apps it can add extra risk, as they may inadvertently introduce malware. Meanwhile, their personal Bluetooth devices like smart watches or fitbits could pose a threat even if they’re not being used for work.
Many devices may be out of date when it comes to upgrades and patches, so your company needs to make sure its own security net is strong enough to encompass these. The IT department should set up and maintain an inventory of all devices being used, to make it easier to track what’s being used when and where.
Attackers are now prioritizing users on mobile devices. Many employees receive work emails and messages on their phones at all times of day and night, while those who provide website maintenance or backend support may do most of their work outside normal office hours.
It’s easy to stop paying full attention and let something slip through. Therefore, training programs should ensure that employees are aware of these specific threats, and demonstrate that they must not let their guard down just because they have left the office.
3. Company-owned devices are at risk, too
We’ve covered the threats from BYOD. But employees need to remember that company-owned devices can be compromised, too – even when they’re being used in the workplace.
In fact, any device that connects through wi-fi, Bluetooth, or additional systems such as order management software presents a potential problem. Train your employees to be aware of the risks to accessories such as point of sale systems, headsets and webcams.
Meanwhile, if organization-owned devices are handed over with full permission and admin capabilities, employees could unwittingly install malicious software or engage in risky behavior. It’s better to limit employee permissions as well as providing training, just to avoid these issues.
Employees who use company devices and software are not the only ones who require training. Whoever is in charge of purchasing digital technology for your company should be able to research available products to make sure they’re trustworthy.
4. Targeted training pays off
As well as providing company-wide training, it also pays to focus on employees whose behavior puts them most at risk of causing a breach. You could search logs from mobile device management systems, anti-malware tools, email security gateways and web proxies to spot who is testing the access blockers or regularly encountering malware.
One report suggests that 15% of people who are successfully phished will be targeted at least one more time within the year. Individual discussions with repeat offenders will help them understand the risks they are taking and the potential costs to the business.
In the event of a security breach or a near-miss, don’t just retrain the employee who’s responsible. See it as an opportunity to retrain everyone, to reiterate the importance of mobile security – and point out that an honest mistake could happen to anyone, which is why everyone must always be on their guard.
Don’t forget about those employees who work from home or at different premises. Video calls are a great way to deliver training remotely, It goes without saying that you should make sure any training program is engaging and fun, otherwise employees will get bored and zone out. Some ideas include:
- Delivering a series of shorter sessions rather than one long lecture
- Targeting small groups instead of addressing the whole company
- Working on role plays with individuals or groups
- Using gamification to make learning fun
- Ensuring the content is relatable to real-life situations
You could also add digital security performance to employee appraisals, as another way of keeping an eye on who’s following the rules. Tools like wfo solutions (workforce optimization solutions) are useful for tracking employee performance and training.
5. Keep communicating!
Communication is key – you should let all employees know how your security upgrades work and why they are so vital. It’s particularly important that they understand why you need to protect their personal devices. This can avoid it being seen as an infringement when you track their device or disable actions.
Basically, you need employees to ‘buy in’ to the mobile security being deployed by your company. Walking users through the process and what it means will reduce user error. It also helps employees feel important enough to be trusted with the full information, creating a collaborative feel throughout the business.
This also applies to employees’ knowledge of how the different technologies actually work. If they understand this, they will be better placed to look for threats and to reassure customers about security measures. For example, if you’re switching to VoIP instead of landline, they should be able to answer basic questions like ’how does voice over IP work?’, ‘what encryption is used?’ and ‘what are the key security risks of VoIP?’
It’s important to stay in contact with your remote team, as they may be less likely to remember the protocols when working outside the office environment. It’s also harder for managers to monitor them without the benefit of in-office conversations.
In between the training sessions, keep up regular and consistent communication. Don’t just send out vague emails about patches or upgrades – always explain how any new mobile security features will be beneficial to the employee and the business.
Remember that potential attackers are always working on new ways to trick you, so it’s a constant battle. But if the worst does happen, there are device security solutions you can have in place ready for that day – such as remotely wiping data or retrieving information from a lost device.
To create and maintain a mobile security culture across the business, make sure every employee and every department is involved. As well as providing training, ask for regular feedback – what do employees think the risks are? Pair this with your own assessment and that of any security consultants you bring in. Make use of effective performance management tools to keep track of things.
Overall, this will help employees feel like they are really contributing something valuable to the business, which in turn will stimulate motivation, productivity and a more positive attitude.
Author Bio: Richard Conn – RingCentral US
Richard Conn is the Senior Director, Search Marketing for RingCentral, a global leader in unified communications and internet phone service.
He is passionate about connecting businesses and customers and has experience working with Fortune 500 companies such as Google, Experian, Target, Nordstrom, Kayak, Hilton, and Kia. Richard has written for sites such as Nextdoor and Rightinbox.