sb-as logo
Story image

One in five employees download commercially sensitive files onto personal devices

One in five (20%) employees has downloaded commercially sensitive or confidential company files on a personal device while working from home, according to a new study by PYB.

Of these respondents, 40% admitted that the devices either had no password protection or no up-to-date security installed.

"Out of all corporate cybersecurity loopholes, the most overlooked one is employees personal smartphones," says Daniel Markuson, digital privacy expert at NordVPN.

The reason employees use personal devices for work is that, according to data from 2018, only 39% percent of companies provided their employees with corporate smartphones. As a result, employees accessed back-end corporate infrastructure from the same devices they use for chatting, snapping, tiktoking, shopping, and browsing. 

"Employers simply lost control over their information," says Markuson.

He says corporations were highly unprepared for challenges brought about by remote work. During the lockdown, NordVPN Teams saw a 165% usage spike and an almost 600% increase in sales overall. Companies were acquiring basic cybersecurity tools at the last minute. As a result, cybersecurity incidents spiked by 2,000% between February and March this year.

Mobile security unquestionably an oxymoron

NordVPN says that compared to mobile, desktop devices are more helpful to cybersecurity-literate users in avoiding attacks via social media or email-based spear phishing and spoofing attacks that attempt to mimic legitimate webpages. 

But when it comes to a smartphone, the screen size and software specifics limit users ability to assess the quality of a websites SSL certificate.

GUI (graphical user interface) elements that call to action, such as download, accept, reply, and like buttons, make it easier to fall for fraud on mobile devices. What's more, it's impossible to hover over a hyperlink to see the address behind it. 

"That's why users dealing with emails on a mobile device are far more likely to fall victim to a phishing attack than those who use a desktop," says Markuson.

According to Verizon's 2019 data breach investigation report, the final nail is driven in by how people use mobile devices. 

"Users often interact with their mobile devices while walking, talking, driving, and doing all manner of other activities that interfere with their ability to pay careful attention to incoming information," NordVPN says.

Training, training, training

Markuson says no tool can prevent the human error of giving away a password or installing a malicious code despite the flashing notifications of cybersecurity tools. 

"That's why cybersecurity training should include the recognition of phishing attacks or malware on mobile," he says. 

"Additionally, employers should cover and encourage the use of mobile VPNs," Markuson says. 

"Leading VPN solutions offer consumers products comparable to enterprise-grade services to secure personal devices. Besides masking  users IP addresses, a VPN also makes it impossible to track or intercept online browsing. Enabled VPNs encrypt data, prevent malicious websites from opening, and partially serve as antivirus software."

Apart from a VPN, there are other security measures that should be taken to increase employees safety online, Markuson says.

"One such measure is a password manager, such as NordPass, which generates strong and unique passwords and keeps them in a secure vault. It also allows securely sharing passwords and notes among employees. 

"And, finally, file encryption services, like NordLocker, encrypt all types of files on a computer and in the cloud. Such tools let workers keep their work confidential and safely share it with their colleagues."

Markuson says employees are not the cause, they are also the victim. 

"Once hackers have access to corporate infrastructure, they can easily infect all connected devices with malware. The latest mobile operating systems, especially iOS, are designed to limit the ability to execute malicious code, but this doesn't prevent it from spreading like fire to the corporate infrastructure," he says.