As remote working becomes more normalised, so too does the notion of your mobile device becoming a one-stop-shop – a sole gateway to people’s consumer and business activities.
While this provides levels of ease and access that desktops struggle to reach, says David Emm, principal security researcher at Kaspersky, it highlights a significant security shortfall that needs addressing urgently. If we’re going to use personal devices as business tools, then we need to secure them like business tools.
In the UK at present, one in five consumers are provided with a company smartphone, while 27% simply use their personal smartphones for work – according to Kaspersky’s research. This emphasises a reality where individuals are sending sensitive work emails in one breath, before sending a Tweet or accessing personal bank accounts in the next. Kaspersky also found that 23% of people admit they don’t have adequate antivirus software installed on their provided devices for business use, and 47% don’t protect their personal smartphones. With that said, it is clear consumers are applying the same level of ambivalence to their business activities as their personal actions.
A premature acceleration to mobile
It’s a concerning trend that opens up the threat landscape to cybercriminal opportunists.
As a result of the COVID-19 pandemic, (48%) of the UK’s 32.9 million workers have been operating remotely due to lockdown restrictions. This hasn’t gone unnoticed among those who would take advantage of potentially insecure digital infrastructures. Sensitive corporate data is now being handled not just in people’s homes, but through people’s mobile devices as a primary platform. If these devices aren’t secure, or if the Wi-Fi network used to send and receive data is insecure, this could compromise the corporate data stored on, or sent from, the device.
The normalisation of mobile device usage for work is epitomised by more than half of UK employees responding to work emails through that preferred portal. Why wouldn’t they, to tick off a seemingly routine task with such ease? However, when one third admit to having never even thought about protecting their phones with antivirus protection, it’s clear to see how email attachments and sensitive information can suddenly become exposed or vulnerable.
Perhaps most worrying is the fact that 20% of all UK employees believe their phones actually can’t be hacked. Such a lack of awareness exposes the elevated danger as a result of people’s siloed working situations this year. On the one hand, they are working in an environment that is not under the control of the company IT team and is, as a result, inherently less secure. Beyond that, many have been forced by circumstance into mobile adoption for business usage without being afforded the time to understand the ramifications of this transition, and without having been given any education on the potential dangers. It’s simply been a response to new ways of working thrust upon them by the pandemic.
The result is a mass migration conducted out of circumstance and ease, not necessarily as a result of due consideration, education or digital readiness.
Treating mobile devices like desktops
Even by July, Action Fraud had received 13,820 reports of COVID-19-related scams, amounting to more than £11 million being lost across 2,866 victims of these scams. While more recent data has shown that in the banking sector alone, scams have surged by 84% during lockdown. This particular sector being targeted at a time where bank transactions are conducted so prominently through mobile devices, is no coincidence. In a climate where people’s vulnerability levels have increased, and their digital preparedness is dubious, security risks were already reaching new heights. This combination makes this year a cybercriminal’s dream.
For enterprises themselves, it’s been something of a step into the unknown too, with very few having planned for the speed of transition to remote working; even if some were already supporting remote staff and others were beginning to develop a strategy for this in the future.
To suddenly have to try to account for each employee’s digital infrastructure at home was challenging enough. To further ensure that they carry over the same levels of vigilance and safety to their mobile devices presented an even bigger challenge under such strained and rushed circumstances.
Fortunately, in most cases, it’s not too late, however. Preventative measures and much-needed education can be achieved relatively quickly to bring workers up to speed on what’s required, and to make this mobile strand of the digital ecosystem more robust in the future.
Based on a mutual and open line of communication, employees should also be striving to safeguard their digital lifestyle with the same urgency that their employers would look to protect the data their staff has access to. This includes mobile devices.
As the transition occurs, general cybersecurity hygiene that would usually be applied to a work desktop without question, needs to be applied to the mobile realm as a norm, too. Dropping levels of vigilance just because you associate that device with the mundane or the personal, isn’t an option in this adapting business environment. Security awareness and the development of a corporate security culture is vital to make staff more resilient, and to secure the business environment.
Prioritise the critical
The shift in the pendulum from desktops to mobile devices, together with the blurring and merging of corporate and consumer activities, is indicative of the changing security landscape. Businesses and consumers alike must recognise this shift and take action to protect themselves.
Just because ‘the critical’ is now sharing a room with ‘the everyday’, doesn’t mean it can be treated in a casual manner. The risks of exposing not just your own information, but data that belongs to the company you work for, and its clients, makes it essential to extend good secure practices to all devices, including mobile devices.
We’re currently going through a time of immense social and corporate change, which attackers are looking to exploit. As business merges to mobile to navigate those changes, so must security.
The author is David Emm, principal security researcher at Kaspersky.
Follow us and Comment on Twitter @TheEE_io