In a business where employees essentially demand the freedom to be able to work from anywhere, anytime, establishing robust online security policies can be challenging. This is especially true when it comes to employees using their personal devices, be it smartphones or laptops, for work purposes and transferring or communicating commercially sensitive information, writes Paul Rosenthal, founder and CEO of online encryption product company Appstractor.
Too many businesses are walking willingly into a cyber security nightmare by introducing these kinds of personal device policies with no particular thought or awareness of the consequences. Remote working and allowing employees to use their own devices should never be driven by a blind desire to be viewed as cool, or fit in with a particular culture, but should be led by specific business objectives.
It should also be built out through multiple departments – like IT, HR and legal – to ensure robust and understood policies are in place for employees so they know the levels of security to have on their devices, what information should and shouldn’t be sent over certain networks and the consequences of breaching these policies. Considering that more than half (52pc) of 18 to 25-year-olds regularly use the same password for multiple online accounts and services – according to recent government research – far too much of the workforce lack an understanding of cyber security risks, yet expect the freedom to work on any machine they want.
Losing control
The biggest cause for concern for businesses when it comes to employees using their own devices, is that the business loses all control and visibility over what information is being sent over personal devices.
With no idea what information is being communicated a business has no way of knowing what risk they are being subjected to – and may not even be aware if they are targeted at all until it is too late. Then there is the risk of data leakage and breaches caused by poor personal security on smart devices, as well as the risks caused from downloaded apps, which could cause holes in a device’s security and a path in for cyber-criminals to access sensitive information. This is not even to be mention the all too real possibility that a device carrying sensitive business data is stolen or lost by the user.
Online encryption
Online encryption is not totally out of reach for small and medium businesses, the main hurdle they face is that the current offering is either aimed at consumers – lacking the kind of enterprise features a company needs – or are built for big organisations and governments trying to avoid large scale state-sponsored attacks.
These systems are far too difficult to implement within an SMB, leaving these companies worryingly exposed. Then there are those businesses which don’t bother with online encryption under the false idea that they are too small to be targeted – oblivious to the risk of automated mass targeting which is most likely to be used by cyber-criminals.
The popularity of the gig economy and remote working all but guarantees that employees using their own devices for work is not a passing phenomenon. Businesses and security managers must start taking more seriously the risk this is posing to their organisations and the potential for sensitive information to be stolen.
If they don’t, the “Bring You Own Device” development is a cyber security time-bomb just waiting to go off.
