The boundaries between work and home are increasingly blurred when it comes to mobile devices, heightening the risk of a security breach. Jeremy Childes, Chief Security Officer at Temenos, says companies must do more to help staff stay safe at home so they will be safe at work.
Mobile devices have taken over the office. Where once laptops were the preserve of geeks and travelling salesmen, today they are ubiquitous – along with tablets and mobile phones. Frequently these devices are the property of the individual, not the employer. According to Gartner, bring your own device (BYOD) is set to grow by 20 per cent this year, a rise fuelled by the 38 per cent of companies it predicts will stop providing devices to workers over the same period.
This is great news for the buying department, but could be a terrible omen for security and IT. With the BYOD trend come tricky security problems as the boundaries blur between work and private communications – particularly for activities such as internet browsing.
As employees use their own devices for work – and vice versa – they mix private with professional emails and texts, increasing the risk of breaches in security, data leakage and viruses. Office routers can offer all the security in the world, but take a device home and link it to the domestic WiFi and the device could be vulnerable to attack by botnets – groups of malicious, internet-connected computers. In addition, some companies have found that staff will deactivate firewalls to speed up access, unaware of – or complacent about – the consequences for security.
An office straw poll underlines this. Few people say they maintain antivirus software at home, for example. It costs money and is seen as a hassle to install. Most people who aren't in IT or haven't had a virus problem in the past are willing to risk it.
The answer is clear: teach staff the value of security and make it as easy as possible for them to secure the home environment. Work with their apathy. Provide subsidised or free antivirus software and install it at work, as well as test regularly for viruses. Aircraft manufacturer Airbus, for example, offers virus kiosks for staff to check devices on their way into the office. The kiosks run diagnostic programs, picking up problems and logging the information for the security team to analyse later. This policy brings the double benefit of ensuring devices are clean while collecting useful data about the location, type and frequency of attacks, allowing security strategy to be altered accordingly.
Other companies offer password vaults, into which numerous passwords can be placed so the user only needs to remember one access code. This can be integrated into a mobile device with biometric entry – such as an iPhone – cutting out the requirement to remember even that single code.
But free software, password vaults and security checks can only go so far. The really important element is education. The best companies hold regular seminars inviting experts to speak, offer real-life examples of how things can go wrong and promote the benefits of good security. This isn't limited to work, but encompasses the home environment to include topics such as parental controls – ways to keep children safe on the internet and limit screen time. This resonates with staff, adds value at work and builds allegiance both ways.
As with anything, encouragement works better than coercion. Companies need to think creatively to reach and engage their staff. They need to recognise how people use devices – whether their own or provided by work – and the security challenges this throws up. It's about making device security consistent in the office and at home – and until companies can do that they will remain vulnerable.