In a recent post we wrote about how the line between “work” and “personal” devices today is increasingly blurred. Users will not buy a separate smartphone or a tablet for work purposes if they already have such a device for their household needs. However, the problem is much bigger than users think. An average user brings all the habits associated with the use of personal gadgets and their activities on the Internet from home to work. There are quite harmful habits among them too, such as not using security software on personal mobile devices at all. According to a joint survey by B2B International and Kaspersky Lab in 2013, only 40% of smartphone users and 42% of tablet users ever installed security software, with no more than 19% ever having taken care of encrypting data.
The same applies to the use of the Internet and other aspects of “digital” life. If the user has “unhealthy” habits at home, in terms of information security like opening any links from friends (without carefully looking at the address bar), extracting email attachments, etc., then he or she is going to follow those patterns at work as well.
What does that mean? The recent survey by IT Governance states that 54% of companies believe their own workers are a major threat to IT security. This implies that system administrators expect incidents caused by the actions of the company’s employees. These are imprudent or just dangerous actions from the point of view of IT security.
“According to surveys in Europe and the United States employees of companies spend up to 30% of their working time on personal issues, – Kaspersky Lab expert Kirill Kruglov wrote in his article. – Working computers are used by employees for social networking, trading links to entertainment content, downloading files from suspicious resources.”
Cybercriminals very actively use social networks to conduct phishing campaigns and distribute malware and malicious links. There is always some kind of infection pestering entertainment sites too, so “carefree” users may be a very serious threat to the corporate infrastructure and data.
Naturally, the question arises about the ways to deal with this situation. It is surely tempting to enable strict rules for everything by forming a very limited list of network resources that employees have the right to enter, or by totally banning the use of personal mobile devices within the corporate network, and so on. Business requires the maximum productivity from employees; therefore, it minimizes the misuse of working resources.
However, productivity may decrease not just because employees are spending time on social networking instead of work, but rather because of abundant repressive measures. Moreover, the BYOD principle, for example, may not be disregarded entirely now, unless the company is eager to pass as an “evil empire,” where employees are stripped of mobile phones and not allowed to enter social networks at all.
So, the risks of BYOD have to be heeded and considered to ensure the safety of the corporate network.
Secondly, of course, robust protective means must be applied to block malware, deflect phishing attempts, and nullify zero-day exploits. Restricted access to web resources from the corporate network and monitored traffic are needed, too. It is also necessary to install clients using the same security solution that the company uses on all mobile devices in the corporate network.
But beyond that, employees must be taught the basics of IT security. If a third of the workday is spent on unclear purposes then why not reserve one hour a week for training of this kind? With the increasing complexity of systems, such training is becoming as urgent as establishing a security policy within the company.
Meanwhile, according to the study of global corporate risks in the IT sector by B2B International and Kaspersky Lab, only 52% of respondents stated that employees in their companies are serious about IT security rules and abide by them. 32% of respondents agreed that the personnel neglects compliance with the rules, while 38% admitted that their company employees do not understand the reason for such a policy.
This is the fog of misunderstanding that has to dispel. Some progress has been made already: 60% of respondents said their company employees regularly receive newsletters with descriptions of actual threats, and 58% of the surveyed companies have specialized personnel training programs.
If company employees get in the habit of safe IT practices at work, there is reason to believe that in the end, they will try to ensure an appropriate level of protection at home, too.