When employees use their own devices for work, there’s no such thing as a personal security breach
It’s no exaggeration to say that mobile smart devices have changed the way people work. With smartphone in hand, employees now expect to be able to check email from their kid’s baseball game, finalize financial transactions on the fly, and log into cloud-based services at the gym—not to mention play Angry Birds whenever they want. The downside to this round-the-clock connectivity is the security risk it can introduce to your network and, because devices are personally owned, the difficulty of locking them down. These days, there’s no such thing as a personal security breach. A security incident on a personal device can put your entire network at risk.
This isn’t as far fetched as it might sound. According to the Cisco 2011 Annual Security Report, three out of four employees worldwide have multiple devices, like a laptop and a smartphone, and one in three young professionals use at least three different devices for work. The research also shows that the most popular mobile platforms—Apple iPhones and iPads and Google Android devices—have become targets for malware. Malicious software can be introduced in a variety of ways, but many small businesses have found themselves infected by malware inadvertently passed on from an employee’s personal device.
Blurring the line between personal and professional
As people continue to blur the line between their personal and professional activities, you can expect to see more personal security breaches affecting the local business network. For example, many small companies maintain a Facebook page for marketing purposes, and many employees who administer these fan pages also have their own Facebook profile pages. While checking his or her personal Facebook pages, an employee may unknowingly download and install an applet that runs in the background to capture data in the web browser window. If they then switch over to the company’s Facebook page, that malware can capture data from that page, too. Therefore, to help mitigate this exposure, people should shut down their browsers between sessions to help prevent this from happening. (See this post for more information on how to safely and securely use social media for your small business.)
Worse, some malware can continue running in the background even when the browser’s been exited after use. If the malware has been installed on a computer, perhaps a company laptop or desktop, it can then possibly capture sensitive business data stored on or accessed through that device. The same thing can happen on personal smartphones that are used to access web-based applications, such as a customer relationship management (CRM) client. That personal security breach just became a problem for your entire network.
Of course, your business can be impacted by a personal security breach in other less direct ways. Consider the employee who just discovered she was the victim of identity theft. She’s going to be worried and she’s going to spend a lot of time, emotional effort, and money to restore her identity, making phone calls to her bank, dealing with debt collectors, and more. As far as your business is concerned, her productivity is going to drop significantly while she’s dealing with this time- and attention-consuming problem.
Although it’s not your direct responsibility to protect the individual privacy of your employees, especially on their personal devices, doing so benefits your company. It not only safeguards your local network, it also ensures employees’ ongoing productivity.
All for one and one for all
The first step in helping employees protect themselves from security incidents is through education. Make sure they’re aware that security is their responsibility, too, and that security threats pose a real danger to them personally. It’s important to educate everyone on the basics such as learning how to spot dangerous email and potentially malicious websites. Second, your acceptable use policy must include information about how personal devices can be used in the workplace and what happens in the event of a security incident either for the company or themselves. And third, find out if your security solution can also help protect personal smartphones and tablets as well as your company’s computers. For example, a security appliance like the Cisco SA500 Series will monitor for web threats as employees browse the Internet from their own devices just as it does from company computers, and can block any inadvertent attempts to download malware from a known malicious site. Of course, this only works if employees are accessing the Internet over the local network from behind your firewall.
Finally, encourage employees to install security software on their smartphones and tablets that will protect their personal data. Even though you can’t require employees to install certain apps on their own devices, you can make it a condition of using those devices to access your company’s network. Consider apps like TaintDroid and Lookout Mobile Security, which can show users which mobile apps are accessing their location and other personal, sensitive data.
In this age of BYOD, it pays to take a holistic attitude towards security so everyone is looking out for everyone else. Remember, if someone you have a relationship with experiences a security breach, chances are good it will trickle down to you. Even if a virus, malware, or other security threat starts out on just one smartphone, it can quickly proliferate throughout your network.
Have you taken steps to help your employees protect their personal devices from security breaches?
If you’re interested in reading more, check out these related posts: