Are mobile devices making careless employees a bigger threat than cyber criminals?
According to the Mobile Operators Association, in 2000 half of UK adults owned a mobile phone.
Now, at least 94% do and there are over 82 million mobile subscriptions in the UK. Half of adults own a smartphone and also use their mobile phone for internet access. Cisco, an IT provider, says that the number of mobile-connected devices will exceed the world's population by the end of 2013. Mobile telecommunications are vital for promoting economic competitiveness and social inclusion, but what are the dangers in a business environment?
The University of Glasgow conducted a study investigating the information security risks of mobile device use within organisations and found that mobile devices – including phones, laptops and tablets – can expose businesses to a host of information security risks. Check Point, a security software provider, recently carried out a survey and found that 93% of UK and US companies allowed mobile devices to connect to their corporate networks with 67% allowing personal devices.
The distinction between the personal and professional use of devices is becoming blurred due to the extent of connectivity and the ability to access corporate information, which is putting increasing pressure on IT security and corporate compliance departments. Where previously IT departments were tasked with controlling closed business networks and fixed desktop PCs, now they are faced with an interconnected global corporate network and ever-growing use of employees' personal mobile devices.
The problem lies with third-party applications, malware and the ability to hack devices via open WiFi networks, as well as the occurrence of theft or simple loss. John Shaw of Sophos, a network security company, says that over half of users surveyed do not even have a passcode lock in use on their devices. The Check Point survey reveals that two thirds of companies believe that careless employees are a bigger threat than cyber criminals.
Even where businesses have a robust corporate policy in place, this is not always strictly abided by, as the University of Glasgow's study revealed. The study examined 32 mobile devices that had been issued by a global Fortune 500 company, and were then subsequently returned to the organisation by the employees. The devices were examined to determine policy breaches and consequent security risks. Some examples of the findings revealed passwords transmitted in clear SMS text, unencrypted files being transmitted outside the company and passwords saved as contacts in the device phonebook. These issues pose security risks that have potentially serious financial implications for corporate organisations.
The trouble is, corporate policies cannot afford to be too onerous. As Mr Shaw commented, an employee who has to enter a 17-digit code in order to access their phone will soon write it down on a post-it note and stick it somewhere easily accessible. Whilst some companies may try to avoid the use of personal devices in their organisation, the reality is that this is unavoidable. With increasing pressure to improve efficiency, employees will use their own phones and tablets to read company emails and transfer documents so they can work from home.
One solution may be mobile device management, an emerging form of software that enforces password control and allows a lost device to be wiped. Indeed, Apple Mac products already include a "Find my Mac" option that can be activated to track and securely wipe lost devices. The difficulty with this solution, however, is that employees will often delay reporting a device lost if they face "losing their holiday photos". Further, Apple iPhones create their own additional challenges for IT security with the unprecedented pace of change in software upgrades. Users migrate en masse from one operating system to the next, virtually overnight – a phenomenon which just does not occur with Windows on company PCs.
In this world of constant technological advancement, IT security must be integrated into the upper echelons of senior management for a joined up approach to security-management practices. Keeping one step ahead by using advanced encryption standards in order to tackle the security risks posed by mobile devices is difficult, time consuming and expensive. However, it is a challenge that companies cannot afford to ignore.