As our reliance on digital technology continues to grow, so does the threat from scammers, hackers, and cybercriminals. Yet we have become so used to the benefits of tech making our lives easier that we can get complacent and careless about the risks.
The growth of mobile use in business has left many companies even more vulnerable to attacks, mainly due to the rise of the bring-your-own-device (BYOD) culture and an increase in remote working.
With the average data breach cost in 2020 coming in at $3.86 million, it’s vital to protect your organization. However, investing in security solutions is no longer enough – you must also provide comprehensive training to all employees. This means anyone using their mobile for work is educated about potential risks and better placed to spot any vulnerabilities.
While your security protocols have to be efficient, it also helps if they are easy to understand. If something is hard to follow and cuts into productivity, it is less likely to become a seamless part of everyday work.
Enterprise Mobile Device Security
In the modern workplace, mobile devices are used more frequently than traditional endpoints. And the same information that their laptop or desktop has access to is also present on these devices. The lack of security on mobile devices results in a substantial boost in productivity but also a dramatically greater danger to an enterprise. Mobile devices frequently go unguarded, although you wouldn't consider leaving a laptop or desktop unattended.
Employees can learn about enterprise mobile security and the dangers and weaknesses that it faces by taking a mobile security training course.
Here are five key things to remember when providing mobile device security training.
1. Mobile security should be part of the culture
The main aim of any training program is to change the company’s culture. In this case, every employee should learn to take the threats seriously. Protection should feel like everyone’s responsibility, not just the IT department.
And this means that lower–level employees need to see that those in higher positions are setting an example by following the protocols.
96% of phishing still happens via email, but employees should also receive training to recognize threats from other sources. Phishing via SMS (known as “smishing”) and voicemail (“vishing”) are high priorities for current attackers, and it’s wise to raise awareness of the risks.
Train employees to look at the company’s security from an attacker’s point of view – what gaps might they see and take advantage of? Which technology is most at risk? For example, you could run test scenarios with your IVR (interactive voice response) system or online booking software and learn the warning signs to look out for.
As well as staying alert to potential threats, employees should report any concerns immediately to your IT department, even if they seem insignificant. Aim to develop a culture where employees take personal responsibility and look out for one another – the managers shouldn’t have to watch them at every moment.
2. The most significant threat comes from BYOD
Over the past few years, the practice of employees bringing their own devices to work (BYOD) has added a whole new level of threat. While your IT department used only to be responsible for organization-owned devices, they now need to be aware of different systems.
Employees will use them at home for remote or out-of-hours working, meaning you can’t just rely on monitoring in-office behavior. Combined with the increased likelihood of personal use, this can make threats much harder to detect.
Staff downloading non-work-approved apps can add additional risk, as they may inadvertently introduce malware. Meanwhile, their Bluetooth devices like smartwatches or fitbits could pose a threat even if they’re not being used for work.
Many devices may be outdated when it comes to upgrades and patches, so your company needs to make sure its own security net is strong enough to encompass these. In addition, the IT department should set up and maintain an inventory of all devices being used, to make it easier to track what’s being used when and where.
Attackers are now prioritizing users on mobile devices. For example, many employees receive work emails and messages on their phones all day and night, while those who provide website maintenance or backend support may do most of their work outside normal office hours.
It’s easy to stop paying full attention and let something slip through. Therefore, training programs should ensure that employees are aware of these specific threats and demonstrate that they must not let their guard down just because they have left the office.
3. Company-owned devices are at risk, too
We’ve covered the threats from BYOD. But employees need to remember that company-owned devices can be compromised, too – even when they’re being used in the workplace.
In fact, any device that connects through wi-fi, Bluetooth, or different systems such as order management software presents a potential problem. Train your employees to know the risks to accessories such as point-of-sale systems, headsets, and webcams.
Meanwhile, if organization-owned devices are handed over with full permission and admin capabilities, employees could unwittingly install malicious software or engage in risky behavior. It’s better to limit employee permissions as well as provide training, just to avoid these issues.
Employees who use company devices and software are not the only ones who require training. Whoever is in charge of purchasing digital technology for your company should be able to research available products to make sure they’re trustworthy.
4. Targeted training pays off
As well as providing company-wide training, it also pays to focus on employees whose behavior puts them most at risk of causing a breach. For example, you could search logs from mobile device management systems, anti-malware tools, email security gateways and web proxies to spot who is testing the access blockers or regularly encountering malware.
One report suggests that 15% of successfully phished people will be targeted at least once more within the year. Individual discussions with repeat offenders will help them understand the risks they are taking and the potential costs to the business.
In the event of a security breach or a near-miss, don’t just retrain the employee who’s responsible. Instead, see it as an opportunity to retrain everyone, reiterate the importance of mobile security – and point out that an honest mistake could happen to anyone, which is why everyone must always be on their guard.
Don’t forget those employees working from home or at different premises. Video calls are a great way to deliver training remotely; you should make sure any training program is engaging and fun. Otherwise, employees will get bored and zone out. Some ideas include:
- Delivering a series of shorter sessions rather than one long lecture
- Targeting small groups instead of addressing the whole company
- Working on role plays with individuals or groups
- Using gamification to make learning fun
- Ensuring the content is relatable to real-life situations
You could also add digital security performance to employee appraisals to keep an eye on who’s following the rules. Tools like wfo solutions (workforce optimization solutions) help track employee performance and training.
5. Keep communicating!
Communication is vital – you should let all employees know how your security upgrades work and why they are so vital. In addition, they must understand why you need to protect their devices. This can avoid it being seen as an infringement when you track their device or disable actions.
It would help if you bought into the mobile security being deployed by your company. Walking users through the process and what it means will reduce user error. It also helps employees feel important enough to be trusted with the complete information, creating a collaborative feel throughout the business.
This also applies to employees’ knowledge of how the different technologies work. If they understand this, they will be better placed to look for threats and to reassure customers about security measures. For example, if you’re switching to VoIP instead of a landline, they should be able to answer basic questions like ’how does voice over IP work?’, ‘what encryption is used?’ and ‘what are the key security risks of VoIP?’
It’s essential to stay in contact with your remote team, as they may be less likely to remember the protocols when working outside the office environment. It’s also harder for managers to monitor them without the benefit of in-office conversations.
In between the training sessions, keep up regular and consistent communication. Don’t just send out vague emails about patches or upgrades – always explain how any new mobile security features will benefit the employee and the business.
Remember that potential attackers are constantly working on new ways to trick you, so it’s a constant battle. But if the worst does happen, there are device security solutions you can have in place ready for that day – such as remotely wiping data or retrieving information from a lost device.
To create and maintain a mobile security culture across the business, ensure every employee and every department is involved. As well as providing training, ask for regular feedback – what do employees think the risks are? Pair this with your assessment and any security consultants you bring in. Finally, use practical performance management tools to keep track of things.
Overall, this will help employees feel like they are really contributing something valuable to the business, which in turn will stimulate motivation, productivity and a more positive attitude.
Author Bio: Richard Conn – RingCentral US
Richard Conn is the Senior Director, Search Marketing for RingCentral, a global leader in unified communications and internet phone service.
He is passionate about connecting businesses and customers and has experience working with Fortune 500 companies such as Google, Experian, Target, Nordstrom, Kayak, Hilton, and Kia. Richard has written for sites such as Nextdoor and Rightinbox.