Increasingly, businesses large and small, rely on mobile devices to run their operations and deliver more flexible customer service. Many businesses also invite their employees to use personal devices for work, be it at home, a client’s site or local café at lunchtime: wherever there’s a connection.
When we talk about mobile devices, we immediately think of smartphones. But any device which fits in your pocket, briefcase or shoulder bag is mobile. USB sticks, tablets, laptops, DVD drives and external hard drives – they’re all mobile – and millions are lost every year. Where they end up and what happens to the data they hold sometimes remains a mystery.
Having a mobile device or data stolen as a result of a hacker breaking through your defenses is one thing, losing it through absent mindedness or poorly thought out security is something else entirely.
It’s strange. We know how important our mobile devices are to our work and personal lives. The data stored on them, or the access to it, is in many cases vastly more important and valuable than the devices themselves. We know the consequences and precautions needed to protect them but they still go missing. There are plenty of data breaches each year to remind us we should take security seriously. Knowledge and warnings aren’t in short supply. Something else is at play, the question is what?
Is security being designed out?
The websites, browsers and apps we use – especially on smartphones – encourage us to never log out. “Remember me” Dropbox says, “Stay signed in” Google invites, “Keep me logged in” Facebook offers. These are known in the marketing industry as “nudge” tactics, a concept in behavioral science which suggests that framing questions or choices in a way that is more likely to lead to positive outcomes, or non-forced compliance, can be as effective as direct instruction, legislation, or enforcement. These pre-ticked boxes certainly deliver convenience but they design security out because they are worded to encourage us to stick with the status quo: a cognitive bias that is hard to overcome.
Once logged in, the design and functions of the apps themselves may be making it harder to implement security as well. An employee may be legitimately downloading emails on their phone via their personal email app, but doing so means they could mix up the To or Reply As email addresses. They could accidentally send company or customer data to a friend.
Similarly, if an employee is managing the company social media accounts from their phone – replying to customer questions out of hours for example – they might be accessing the company accounts via their personal accounts, instead of logging in directly to the company account. Again, if they forget to choose the right account, they could easily publish work-related information to their personal profile by mistake, or worse, post a personal picture on a company profile which your customers might not appreciate.
The design of visual interfaces could be blurring the lines too. Apps which allow multiple accounts to be imported, and switched between, don’t necessarily give each account a unique look and feel. This lack of visual differentiation, even if not intended by the app’s developers, might be making it harder to realize which account is being used.
It goes deeper
We feel safe always being “logged in” because there is no downside that we can easily feel or perceive. Clicking a suspicious link in an email doesn’t feel any different to clicking a legitimate one. Hackers are anonymous and out of sight, not standing over an employee’s shoulder. Malware is invisible. Key logging spyware is silent. Being logged out has become an inconvenience because it interrupts the flow of work and enjoyment of our device. And while losing a smartphone or tablet is incredibly inconvenient, many service providers can deactivate them remotely or allow the owner to. Insurance will probably cover the cost of a replacement. Unless the loss or breach becomes public and causes serious harm or disruption to the business or people involved, there is little incentive to change our behavior.
Ads for Google’s Chromebook promote a “no need to worry” approach to data security. They don’t offer protection against aliens stealing your laptop but if aliens do steal it, no problem, your data isn’t on your laptop, it’s in the cloud. It’s this sort of messaging which can undermine the need to protect your data and devices.
Designing security back in
So what can businesses and employees do to avoid being nudged in the wrong direction?
Tony Anscombe, Senior Security Evangelist for AVG Business, a provider of online security solutions to businesses worldwide, says, “It’s important for small businesses to use the latest hardware, install the latest software patches and keep their antivirus and security software updated. Implementing security policies for the use of firewalls, encryption through a Virtual Private Network, strong passwords and multi-factor authentication are essential to maintain a basic security level.”
But technology is not enough
“Processes and policies need to cater for the mobile way in which people now work but without leaving the business at risk. When employees use their own devices at work, they should log in directly to business accounts, not via their own personal accounts, and untick those nudge options like “Remember me”. Employees also need to set their phones not to auto-connect to free WiFi networks they may have used in public places or on client sites. Small changes like that can help prevent accidental sharing or publishing of business data.” continues Anscombe.
Stop believing it can’t happen to your business
Anscombe concludes, “Some businesses might think they’re too small for a hacker to notice, but that’s a myth. A Scottish hairdresser was hacked last year and had their business held to ransom. You don’t have to be a corporate giant to be a target. A hacker may even target your small business to gain access to a larger business that’s your customer. Good security means having the right tools and the right mindset. You have to understand the value of your data and want to protect it.”
[su_box title=”About Lee Carnihan” style=”noise” box_color=”#0e0d0d”]Having lived and worked for SMEs and multi-national corporations in the UK, Saudi Arabia, Finland and the Czech Republic, Lee’s experience allows him to deliver a broad and deep perspective on a variety of business issues including information security, management strategy and sales and marketing.[/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.