Many companies today face serious threats due to the increase of smart phone usage by their employees. However, it is not just smart phone usage that creates the problem for employers. The BYOD trend has greatly increased serious security threats for employers as hackers found creative ways to penetrate wireless devices.
In a study conducted by Deloitte, respondents reported that the human element is among the biggest sources of information security risk (Deloitte pp.10). Respondents also identified the human element as the most difficult to control due to lack of their employees’ awareness (Deloitte pp.3). Although advances in technology have transformed our lives offering a higher level of convenience, these same technological advancements have opened up several doors for criminals that are technologically advanced. Even so, the benefits of having the new technologies outweigh the threat that it causes for some people (Deloitte pp.10).
It is essential to the companies using these new technologies that their employees receive the proper training, or that they are sufficiently made aware of the risks that are presented in today’s world with the introduction of such new technologies (Deloitte pp.10). Obviously, a company is not going to do without these new technologies or they will face other threats associated with competing in a cut throat business environment. Therefore, the companies must come up with a solution to control the threats in order to utilize the technology that will either yield a competitive advantage, or at the very least a competitive parody.
Since 70% of the TMT organizations that participated in the above mentioned study rate their employees’ lack of security awareness as an average or high vulnerability, it only makes sense that the companies start with their employees (Deloitte pp.10). Measures should be taken to ensure that employees do not talk about certain aspects of work, respond to phishing emails, let unauthorized individuals into the organization, or sell intellectual property to other companies (Deloitte pp.10).
Mobile devices such as smart phones are very convenient for today’s business environment and allow employees to work from virtually anywhere. However, these same
wireless devices also store sensitive company data. Examples include email, documents, contacts, and the company’s agendas (Deloitte pp.10). Many employees also tend to use these same devices to access their social sites such as Facebook and Twitter. This is where employees can cause several problems for the company by exposing sensitive company data. Using the same device to access social media and manage company affairs is what makes mobile devices the perfect candidate for a security breach by hackers (Deloitte pp.10). These mobile devices serve as another entry point for computer criminals to attack. Another issue with mobile devices is that “they are easily lost or stolen (Deloitte pp.10)”. A stolen device exposes all of the company data that is on it which can include industry secrets or customer information that is meant to be protected.
The threat can be even worse when employers allow their employees to bring their own devices to work. According to the study, mobile devices are the second largest threat for TMT organizations (Deloitte pp.10). About 52% of organizations have policies that restrict the use of personal devices at the workplace, and 10% of the surveyed organizations do not even address the issue at all, making it very risky for those organizations (Deloitte pp.10).
The problem is was so big in 2012 because of the hundreds of millions of people that are using social media sites such as Facebook (Sophos pp.3). “Attackers have built creative new social engineering attacks based on key user concerns such as widespread skepticism about Facebook’s new Timeline interface, or users’ natural worries about newly posted pictures of themselves (Sophos pp.3)”. These attackers didn’t just revert to Facebook. They are now using Twitter, Pinterest, and other social platforms (Sophos pp.3).
In order to control some of these problems that can be initiated by an organizations employees, employers must put strict restrictions in place. Also, it is important to raise employee awareness through training. The employees should be trained to understand potential security issues and risks (Deloitte pp.11).
IT and security professionals should also be trained on how to handle any threats that might come along (Deloitte pp.11). According to Deloitte, “the most common certifications for security professionals are CISSP (47%), CISA (36%), and CISM (37%) (Deloitte pp.11) ”. With all these security threats surfacing, it seems that companies would make it a priority to protect them-selves as much as possible through investing in awareness, and strict policy placement. However, only 8% of large organizations seem to be making this a priority (Deloitte pp.11).
Employees can cause some serious damage with one of these technologies. The employee can not only cause monetary damage, but also damage that can hurt the company by letting another company gain a competitive advantage if certain company secrets get leaked to a competitor. Another thing to consider is customer data. If the employee is using a company device and causes a security breach, the company’s data is exposed. If the company data includes customer information, this can cause issues such as customers’ credit or identity being stolen. It could also go in a different direction and allow a competitor to have access to the organizations contacts.
The possibilities are endless. One example of the damage that an employee can cause occurred in South Carolina. The Department of Revenue had a major security breach resulting in 3.6 million social security numbers being accessed by hackers (Trace Security, 2013). This is one of the largest data breaches data we have experienced in the United States and the results are devastating to American taxpayers that are now forced to cover this debt.
Situations like this illustrate exactly why employee awareness is an essential key to an organizations defense against computer criminals. Technology is evolving and we must evolve with it in order to survive. Mistakes like this one could wipe a whole company out. In this situation, we are discussing a government organization and therefore, the cost gets passed onto the tax payer. In other organizations the organization will have to cover the costs. It is better to invest in ways to protect the organization and spend a little bit of money than to be out on a limb later and not have an organization to invest in.
Works Cited
Deloitte. Blurring the Lines. TMT Global Security Study, 2013.
Sophos. New Platforms and Changing Threats. Security Threat Report, 2013.
Adams, T. Social Engineering Attack: Breach in South Carolina Part 1. TraceSecurity.com, 2013. http://blog.tracesecurity.com/2013/02/06/social-engineering-attack-breach-in-south-carolina/.
Windows 8 Mobile Development 