Are mobile devices the Achilles’ heel of your cyber defense?

Over half of SMEs say mobile devices are their organization’s biggest cybersecurity weakness.
5 December 2018

Employee mobile access could be a weak point in your IT infrastructure. Source: Shutterstock

In today’s always-on working environment, it’s not unusual to be checking your emails from your smartphone on the commute to work, or perhaps be making a quick edit to a slide on the next day’s presentation on the family iPad from your living room.

While arguably not the best practice for our overall work-life balance, it’s now a widely accepted fact that the pressures of work— coupled with the feeling of needing to be contactable from dusk to dawn— mean that more and more personal mobile devices are being connected to your organization’s IT infrastructure.

Employees aren’t just connecting to wi-fi; they’re accessing company email servers, cloud drives, CRM software, email campaign managers, and more, abetted by the easy UX of apps just mere seconds and swipes away in the app store.

While working from home has never been so easy, threats from cyber attacks have never been more prevalent, and according to a report by Ponemon Institute sponsored by Keeper Security, mobile devices are now the most vulnerable endpoints or entry points to networks and enterprise systems in SMEs.

Based on a survey of over 1,000 IT and security practitioners from across the UK and US in July this year— across businesses ranging from 100 to 1,000 in staff size— 55 percent of respondents claimed mobile devices as their organization’s biggest cybersecurity weakness.

Just shy of one half (49 percent), meanwhile, said that the use of mobile devices to access business-critical applications and IT infrastructure affects their companies’ security posture.

The findings emerge as phishing and advanced malware attacks are on the rise. Respondents reported phishing— or ‘social engineering’ attacks, based on their nature of manipulating the user into performing a trigger action, such as opening a link— have increased from 48 percent in 2017 to 52 percent in 2018. Advanced malware attacks, meanwhile, have grown from 16 percent to 24 percent in the same time frame.

At the same time, the risk of an attack as a result of employee or contractor negligence is only worsening. Nearly two-thirds (61 percent) of companies said negligent employees put their company at risk of a ransomware attack, a year-on-year increase of 3 percent.

With companies now facing crippling penalties for data breaches— such as GDPR in Europe, which holds those in breach accountable for up to 4 percent of their annual turnover— SMEs can no longer put their head in the sand when it comes to enforcing adequate cybersecurity measures and processes.

Simple steps

For smaller companies, however, both having the right leadership and sufficient budget in place for cybersecurity remains to be a key challenge— among more than a third respectively. Just over a third (35 percent) claimed that no one function within their organization determines IT security priorities— a worrying uptick of 5 percent on last year.

While it may be difficult for many companies to enforce employees not to access company IT via their own smartphones (even offering company phones out could eventually lead to the same issues), there are some simple measures that are in realistic reach of being implemented.

Depending on your company’s policies pertaining to the use of employees’ passwords, a regular and systematic refresh of employees’ passwords across key applications, such as email, G-Suite or OneDrive, for example, could ensure password strength is sufficient and changes are kept track of.

Meanwhile, employees can be encouraged to use biometric passwords on their devices, such as fingerprint or voice, which is much harder— although not impossible— for malicious parties to hack.

If you think it sounds like too much work taking these pretty basic initial steps, it’s worth noting that 40 percent of respondents claimed their company was attacked as a result of an employee password breach, with the average cost of each attack amounting to US$383,365.