We all know mobile devices are becoming ever more prevalent. In fact, Pew Research found that nearly 80% of Americans own smartphones and a little over half own tablets. Not only do we have more mobile devices in our daily lives, but mobile devices are raising productivity and connectivity between employers and employees.
Management has noticed this trend, and bring-your-own-device (BYOD) programs are becoming popular. Unfortunately, BYOD programs, and mobile computing in general, poses some security issues. With the constant stream of hacks and data leaks making their way into the public consciousness, IT security, and especially mobile security for employees, is vital.
What Employers must do
Employers who refuse to embrace BYOD and the mobile work culture will likely face stiffer competition in the job market, especially for younger cohorts who want to centralize their lives, both work and leisure, into single devices.
For companies still allowing access to corporate data only on corporate devices, a lot of control is available, and it should be implemented. This includes enforcing website and app access policies such as whitelisting and blacklisting, as well as forcing all traffic through encrypted channels (either HTTPS or VPN).
For employers embracing the BYOD and mobile work culture, there are solutions to control data flows between corporate and personal apps. Local storage on devices may be necessary to avoid hefty data fees, but employers need to keep corporate data off personal cloud storage. Employees who want to use their personal devices at work will need to submit to some controls.
Perhaps most importantly, employers need to educate their employees on data and network access outside the office. Periodic mandatory training sessions are one approach. Not only will employees better understand the risks to the company, they can become aware of the risks to their personal data. With the Equifax and Cambridge Analytica debacles, personal data protection has been catapulted to the forefront of the public psyche.
What Employees must do
Employees must be aware of some of the risks, and they must actively protect themselves. It is far simpler to prevent catastrophic hacks if employees cooperate and protect themselves voluntarily. Within training sessions, employees need to be made aware of how to protect their own devices, because apps and data can be controlled and encryption can be used, but flaws in implementation mean corporate data might be leaking right on the attackers’ servers.
Most employees will know the basics of cybersecurity, like not clicking on links from Nigerian princes offering millions to deposit one check. Unfortunately, that knowledge does little to deter an alarmingly high number of individuals. Knowledge and application of that knowledge are two separate concepts.
Moreover, technology is always moving forward, and malicious actors are always one step ahead of the sentinels of security – otherwise we wouldn’t have a security problem. So employees need to understand the latest threats. Not technically, but conceptually, and reaching that education goal will drastically increase a firm’s security.
How many employees know about Evil Twin Wifi hotspots set up by cybercriminals? Most simply connect to the strongest signal or maybe the most familiar. SSIDs like “Free Starbucks (Excess Capacity)” are enticing to business professionals wanting to avoid network congestion. Then the employee proceeds to download unencrypted confidential documents, completely unaware of the vulnerability.
Another major problem is ransomware. When WannaCry appeared in the media, suddenly the public realized their data could be locked away from them. Infecting a single employee’s device is not very impactful. Unleashing it onto the internal corporate network? That is impactful. So employees need to act as a first line of defense in any workplace mobile security system.
Leverage the fear of personal information being destroyed: no one wants their own devices hacked, and their proactive security practices will protect both their devices and company data and networks.