The risk right under your nose

Share this page

Written by Emma McClelland on 1 September 2014 in Features
Features

A substantial portion of data breaches come from inside the business. Emma McClelland highlights some of the dangers

In 2013, 60 per cent of the UK’s small companies and 81 per cent of its big ones suffered data breaches, and it’s not just external threats causing concern. When it comes to insider threats within a business, there are two key issues that often go hand in hand: bring your own device (BYOD) and passwords. BYOD or bring your own destruction as it is fondly referred to by sceptics, refers to the growing trend of employees bringing their own personal mobile devices into work and connecting them to the network. This can be with or without the consent or encouragement of the business itself, but it’s a phenomenon that’s happening whether we like it or not. According to Gartner, 70 per cent of mobile professionals will conduct their work on personal smart devices by 2018.

So, what are the implications? Let’s start with the positives. Of the companies that have embraced BYOD, most cite increased productivity and improved work-life balance as the main benefits. By being able to work remotely or simply move somewhere else in the office for a change of scene, employees can get jobs done whenever and wherever they want to. With the recent push for more flexible working in the UK, BYOD is likely to become even more prevalent. It represents a huge shift in the way we work, with the decline of the PC and the rapid development of smart devices changing the landscape of the typical workplace.

However, along with that increased productivity is the unfortunate caveat of increased risk. The critical word here is ‘security’. Businesses operating these days collect a vast amount of data, much of which is highly sensitive. The most obvious concerns relate to the ability of employees to transfer this information from a company PC to a mobile device and take it off premises. What happens if they misplace this device? Many of us have read stories about government employees leaving pen drives with highly sensitive data on public transport. Items such as iPads are desirable items for criminals and if there’s something of value on that device, such as intellectual property or the personal details of individuals, it could lead to serious consequences including theft and identity fraud.

At this point, the issue of passwords also comes into play. With developments in technology, most devices have the option to add a password or pin, but how seriously do people take this measure? Last year, McAfee released survey results suggesting that 36 per cent of us don’t lock our mobile device with a PIN or password, while Symantec’s 2014 Internet Security Threat Report stated that 38 per cent of mobile users have experienced mobile cybercrime, yet only 50 per cent take even basic security precautions. Even if we do use a pass code, is this enough of a precaution? Consider how many mobile device users choose their date of birth as their PIN, or the same numbers that they use for banking? The most widely accepted piece of advice seems to be that if you can use a passphrase instead of a PIN then you ought to.  

But what is a passphrase and how do you make sure that it’s secure too? With both workplace PCs, the applications on those PCs, and mobile devices, the advice is the same. A cybersecurity expert from the UK-based IT firm Secarma commented: “The word password is slightly misleading because it tends to limit people, as they immediately think of a word, which is exactly what you don’t want to be using. Hackers can use software to carry out dictionary attacks which basically brute force your password, and this process is made easier if you’re using a word that is personal to you, and by that I mean easily associated with your life. There’s so much information about us online that a bit of snooping can reap plenty of results. If you’re a Harry Potter fan, for example, there’s no reason why a hacker couldn’t use a Harry Potter dictionary to brute force your password. So, ‘Dumbledore2000’ is off the list! What we recommend is using a phrase – the longer the better – that includes spaces, punctuation and upper and lower cases. Try to use different passwords for different accounts and applications, and try not to succumb to the temptation to note it down.”

It sounds like a bit of a tall order to be able to remember several different phrases, but the expert opinion seems to be that, by using methods such as association, we should be able to maintain this standard. Association is the technique of using the layout or presentation of a website or application to trigger the recollection of your passphrase. For some people, a colour used on a site, for example, could make them think of a place they’d been or a favourite item of clothing and so on. So, if website’s layout made me think of holidays and, in turn, generated a funny memory from a past trip abroad, it might give me an obscure phrase that other people might not think of, but comes naturally to me. I can then use this as the basis of my passphrase for that site or account, adding special characters and spaces to make it more secure.

For certain businesses, however, security measures go further than this. Many organisations use multi-factor authentication to make sure that only the right people gain access to specific accounts and data sets. Sometimes this process will involve not only entering a passphrase, but also then having a code sent to your mobile phone. This is more reliable than having a code emailed to you, as you have to have physical access to a phone in order to get a code, whereas there’s less differentiation with your online presence. If a hacker has access to one of your accounts already, there’s a strong likelihood that they also have access to your email account! Other advancements in multi-factor authentication include biometrics, which is actually simpler than it sounds, although still fairly ‘Mission Impossible’ style. Some phones and even cars, for example, have fingerprint recognition so this would be an instance of biometrics being used as a form of authentication. On a side note, there was one man who had his thumb chopped off by criminals wanting to steal his car, so, you know, swings and roundabouts! 

However, while it’s all well and good educating your employees about passphrases, this only helps to counter one of the problems of BYOD. Yes, it helps if devices are lost, but what if an employee intentionally takes data from your network? Consider a client database, which competitors would kill for. It only takes one disgruntled employee to share this database with the wrong people. This could cause damage to your reputation and have a detrimental impact on your bottom line. So, what’s the answer? How can the interests of employees, businesses and their clients be equally met?

According to Lawrence Jones, CEO of internet hosting firm UKFast, “Making BYOD work for your business is about striking the right balance between usability and security. You want your team to be as productive and happy as they can be, but there’s always the issue of data security to worry about. When you add security measures to something, its usability decreases, but protecting the private information of clients and employees alike has to be the main priority for any business.

“To get the lay of the land, an audit of the devices connected to your network is a good place to start. It’s also a good idea to have different levels of access for employees dependent on their role to ensure that sensitive or mission critical information can’t be accessed by everybody, only the few that need it to do their job; on call engineers, for example. Even then, it’s better to stay on the safe side and provide company laptops. If a BYOD user doesn’t need access to something then it makes sense to put that safety barrier in place.”

Jones’s advice about an audit is prudent, as one of the other major threats posed by BYOD is the potential transfer of malware from an infected device to the company network. A mobile security threat report by Sophos claimed that, “mobile malware writers know the best way to infect as many devices as possible is to attack central app markets. Therefore, today the most likely way that malware will find its way onto a mobile device is through downloading a malicious app that hasn’t been sufficiently vetted.” Any malware or virus on a connected mobile device could be transferred to the business network, causing significant damage. One way to prevent this would be to disable USB ports where it’s practical to do so. For mobile phone charging, a separate charging station could even be set up, taking this means of infection away from  the network. 

Many of the companies that have embraced BYOD have set up usage policies to help with PCI compliance. To monitor the devices connected to their networks, a number of businesses even utilise Mobile Device Management (MDM) technology, which involves the use of software to view and manage devices from one place. In most instances, this is a good way to gain some control over the devices accessing your network. Taking appropriate security measures such as performing updates and applying patches when errors occur is vitally important though, and using third party software means you have to trust that provider to follow these procedures. Aviva UK was recently hit by an attack that managed to compromise its MDM platform and wipe the iPhones of some employees. 

Other advice to make BYOD in the workplace secure includes data encryption, due diligence with regards to the hiring of staff, and regular training sessions to make sure that employees are aware of policy and of their responsibility as a BYOD user on the business network. A lot of people aren’t completely aware of how important data security is on both a personal and professional level. It’s also worth noting that no matter who owns the device, it’s the organisation’s responsibility to protect the data stored on it. If an employee’s tablet is stolen, and a criminal subsequently gains access to sensitive details, it will be the employer receiving a heavy Data Protection Act fine, not the employee.

So, for businesses, it really is important to address the issue. A blanket ban on mobile devices is unlikely to be affective and passively allowing employees to plug into the network with mobile devices is equally unproductive. Engaging people in discussion and articulating security practices and policies is a much better way to broach the subject. A robust BYOD policy typically asks questions such as: “how can employees encrypt and decrypt the corporate data stored on their devices?” and “how and when should company data be permanently deleted from personal devices?”

Having a strong, carefully-considered BYOD policy in place and communicating it with employees ensures that any issues are anticipated and the responsibilities of employees and employers are fully transparent. Ultimately, as Jones puts it: “Technology is evolving at an astounding pace and, as business owners, it’s our responsibility to ensure that we’re agile and open-minded enough to evolve with it!”

About the author

Emma McClelland is a features writer with UKFast. To find out more, visit www.ukfast.co.uk or follow @UKFast

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

25 January 2022

This week’s selection of news, research and insights from across the world.

25 January 2022

Looking to the future: what does 2022 hold for organisations, their leaders and people?

24 January 2022

A case study of how Hyundai Card used the metaverse to engage and reward their teams during Covid restrictions

 

Related Sponsored Articles

6 December 2021

Learning Pool, global provider of e-learning solutions, is thrilled for its colleagues, Stefan Eger and Ronnie Wilson-Miller who both achieved wins at the Learning Technologies Awards 2021

30 June 2017

Against a backdrop of recent headline-making global cyber-attacks, cyber-security training game Zero Threat has won an international award.

Tags