Employees Run Risks by Accessing Email and Shared Docs using Personal Devices
By Tom DeSot, EVP and CIO of Digital Defense, Inc.
Employees continue to struggle to recognize security policies at their companies, according to a recent survey by Clutch. 1,000 fulltime employees were surveyed about their IT security awareness and behavior. Here are some of the key Findings:
- 64% of employees use a company approved device for work purposes
- 40% have encountered regulations regarding the use of personal devices for work purposes
- Of those who use their personal devices at work, most (86%) use them for email. 67% use them for shared docs.
So, what do these findings say to you about employee security practices/behavior? Because mobile devices are increasingly utilized for work, organizations must develop security regulations to ensure critical organizational data is not compromised. Email communications and the access to company documents must be properly secured. Employees must realize that if they are utilizing a company mobile device, they are bound to security policies/practices and must acknowledge their responsibility to ensuring there is no risk for compromise of data.
Employees still run risks by accessing email and shared docs using personal devices, even if they are company approved. The risks are much the same as information that is accessible through a breach on a traditional device. Depending on the organization and the level of access granted to the employee, the information available through email and corporate documentation, a cybercriminal could gain access to the following information:
- Intellectual property
- Corporate strategies
- Financial information
- Employee Information such as social security numbers and data on salaries
- Client information on consumers such as credit card numbers and sensitive personal data
Following are some suggestions to help ensure security among employees using personal devices for work.
- Before enabling employee access to organizational data, the company should have in place policies surrounding mobile devices. Regular security awareness training on mobile device security should be conducted to assess employees' retention and adherence to policies.
- Provide clear guidance to employees such password development such as the number of characters, utilization of password managers (i.e. password vaults) and the frequency of mandatory changes of passwords.
- Ensure employee mobile devices have enabled encryption, GPS and Remote Data Wiping Capabilities to protect against exposure in the event the mobile device is lost or stolen. Any such incident must be reported immediately to the department in charge of information security.
- Employees must agree that they cannot allow any other individual, including coworkers, family members of friends to access their phone if it contains corporate data (yes, this actually happens and poses a high risk for the exposure of sensitive data).
- Since many Apps have not been developed with rigorous security and hackers are developing malicious Apps, a strong App policy should be developed and communicated. Employees must know the company's policy on App Use and only load approved Apps.