Exclusive: Workers Still Ignoring Security Risks from Personal Devices
It’s no secret that many of us use personal devices for work. It’s convenient, increases productivity and means employees can use a device they know and like, rather than one forced on them by IT.
However, Symantec research revealed exclusively to Infosecurity Magazine suggests that many workers are not aware of the security risks associated with using their own devices for business. This can expose IT and indeed the whole business to risks.
The study, which quizzed 3000 workers across Great Britain, France, Germany, Spain and the Netherlands, found that nearly three in four (72%) of British workers use their own personal device for work, whether it’s a smartphone, tablet, laptop or home PC.
Here’s why that’s so worrying: Just 15% of British workers make sure the security settings on their devices are automatically updated, meaning the vast majority (85%) have to do this manually. There’s no guarantee that these workers will have the latest security on their device. In fact, 13% have no idea what the security status of their device is.
Only just over half (54%) were able to confirm that security on the device was up-to-date at all times.
Symantec said these statistics reveal a ‘roll-the-dice’ attitude to device security, which could be putting the business at risk. Personal devices connected to corporate networks can spread viruses and other malware, which can have a direct route onto the corporate network.
Over half (53%) of all those surveyed said they use their personal devices for work when outside the workplace. The hours immediately before and after work are the most vulnerable for businesses – that’s when 57% of British workers confessed to using their personal device for work.
Symantec said that these results show perimeter security is no longer enough to adequately protect businesses. Employees logging on from beyond the perimeter with devices not secured by IT is a huge risk to businesses, as it bypasses any perimeter security that may be in place.
Personal devices are also far less likely to have the same robust enterprise-grade security measures that businesses need to ensure their data is protected.
“This research unveils an uncomfortable truth – traditional security that only spans the corporate network and IT supplied computers is leaving their organizations exposed. Organizations can expect users to ignore best practices when it comes to security on their personal devices. Only a third of workers polled follow their employer’s advice on IT Security, meaning two-thirds break out of the confines of corporate best practices,” said Robert Arandjelovic, director of security strategy at Symantec.
Millennials’ attachment to their mobile devices is well-known, and that is causing problems for businesses. The majority (88%) of British workers under 24 use their personal device for work, but just 29% said they obeyed all employer instructions around devices and technology usage for work. The rest, it seems, happily ignore IT’s security policies.
When it comes to which mobile devices are being used, Android is leading the way. Across Europe 37% of workers use Android devices, way ahead of Apple (18%). In Britain that figure is much closer, with 23% of users picking Android and 17% using Apple.
That’s an issue, because Android is targeted by cyber-criminals much more frequently than Apple’s iOS, and the fragmented nature of the Android ecosystem means only a tiny fraction of users have the latest, most secure version of it.
The key to making sure workers can keep using their personal devices without compromising the security of the business is education as much as technology, Arandjelovic added.
“Employers have an important role in educating employees, but should also leverage technology to better protect them. To minimize the risk of bad behavior, intentional or not, organizations need to consider an integrated cyber-defense that works across both work and personal devices accessed at any time, in any location, and on any network,” he said.
Source: Information Security Magazine