Hackers love smartphones, so should we use them at work?

Hackers love smartphones, so should we use them at work?

Interim Chief Information Security Officer and advisor Amar Singh puts his case forward as to why smartphones should still be widely adopted in the workplace, despite security concerns currently hitting the limelight.

Contrary to what many may say, my answer is yes, we should widely use smartphones in the workplace. However, you must be aware of the risks and take appropriate measures to protect your company.

In fact one of the reasons I am writing this piece is to provide some balance in the universe. There was a recent article in a major newspaper that, in my opinion, misleadingly implied that businesses should consider stopping employees from using smartphones! The article referred to the UK Government’s Ten Steps to Cyber Security as the basis of the article.

The UK Government’s Ten Steps encourages organisations to take a sensible approach and, I would argue, a risk-based approach. So will banning smartphones stop cyber attacks? Put simply: No. And there are reasons as to why:

  1. Most people are not going to ditch their smart phones. I know I will not.
  2. In fact most now carry multiple smart devices including a tablet, a phone, and more recently smart wearables like watches.
  3. Any organisation with their head in the right place will already have adopted a mobile first strategy.
  4. Cyber attackers will simply find some other way to attack a business. They could even consider trying to revert back to the good old ways of targeting your laptops and desktop computers!

It’s not the Phone — Focus on the Human Element
Many articles and experts have started to blame the human as the primary reason behind cyber attacks, calling the human the ‘weak leak’. We need to stop declaring the human as the primary problem. Yes, you and me, us humans that is, are part of the problem but being flippant about it is not the way to solve this problem.

Again, the government have taken a balanced approach and do not bang on the “it’s your staff’s fault” pronouncement. Here is what one paragraph from the Top Ten document set says:
“Without exception, all users should be trained on the secure use of their mobile device for the locations they will be working in.” To me that sounds more like, “You businesses out there — spend some money, educate and train all your users,” which I concur.

Yes, Mobile is Insecure, but…
Mobile working is insecure. Any device, including your new TV and old laptop, are insecure as long as they are switched on!
Mobile working has several benefits that both employees and organisations recognise. So accept the facts and have a plan to prevent, detect and respond.
The Ten Steps document contains some good advice that I would encourage all to read and understand. In the meantime I strongly recommend every business owner to:

  • Stop blaming the employee for all your cyber security problems.
  • Support the employee with the necessary technology to ensure that ‘mistakes’ cannot happen easily.
  • Yes there is sufficient technology available today that can help prevent and detect cyber attacks.
  • Some technologies to consider are automatic VPN connectors, micro virtualisation technologies, and encryption technologies.
  • What the government is actually saying is “be pragmatic, understand the risks, and educate the users.”
  • Last, but not least, accept the facts, review the threats specific to your company and understand the risk and have a plan to prevent, detect and respond.

To be fair to the government it is quite hard producing a document that fits every organisation’s risk profile. The analogy of one size fits all come to mind. In my own customer dealings I have had more senior board members and business owners ask me about cyber security as a result of the UK government’s efforts to make cyber security a board issue.

I would advise to carefully take a risk-based approach and spend some time understanding the threats and those attackers that would want to target your company. Cyber or not, this is common sense threat and risk management.

There’s no point spending on technology and preparing for spies monitoring your employees if you, for example, are producing regular cleaning products. In such a company it would make more sense if effort and time was spent on preventing insiders leaking financial or human resource data. That’s what I recommend and that’s actually what the government is trying to say.

The full article features in our June 2015 magazine available here