When it comes to mobile device security, we are our own worst enemies. Despite the fact that many people have come to rely on their mobile devices 24/7, most users don’t appear to be getting any smarter about security, researchers say.
In 2012, 44% of adults were unaware that security solutions existed for mobile devices, according to Symantec’s Threat Report. That figure rose to 57% in the security vendor’s 2013 report, which was released in April 2014. Researchers say a lack of education among users is partly to blame. For example, people who move to smartphones after years of using feature phones with limited security requirements often aren’t aware of the need to install security apps.
Looking ahead, experts agree that mobile malware and scams will only increase as users pack their phones with rich and sensitive data. Those devices often also have access to corporate data because most employers include mobile devices in their arsenal of productivity tools.
Adding to our mobile security problems, the number of lost mobile devices keeps growing. According to a survey by Consumer Reports, 1.4 million smartphones were lost and never recovered in 2013, up from 1.2 million in 2012.
With so many ways to put devices and corporate data at risk, there’s no one-size-fits-all solution to mobile security. “To date there is really not a perfect way to secure a device from an employee,” says Jamisson Fowler, vice president of IT at WellPoint, an Indianapolis-based health benefits company. “They are always prone to their own sets of mistakes, and there’s not a tool out there to absolutely lock the device down.” But there are ways to make employees more savvy about mobile security.
Here's a look at five types of employees who are prone to risky behavior, with tips on how to teach them to be diligent about safeguarding devices and data.
1. The unsuspecting
Some people are susceptible to social engineering scams and phishing attempts because they’re unaware of the dangers lurking online. How do you train them to recognize and avoid the bad guys’ ever-changing tactics?
Solution: Go phishing
Cybercriminals are always looking for the next big hack, and mobile devices are the new frontier. Attacks that proved successful on PCs are now being tested on unwitting mobile users to see what works — and with the number of mobile devices with poor protection soaring, there are plenty of easy targets. “Attackers are definitely searching for the weakest point in the chain” and then homing in on the most successful scams, says Lior Kohavi, CTO at Cyren, a provider of cloud-based security systems in McLean, Va.
Lior Kohavi
At German medical device manufacturer Karl Storz GmbH, the security approach for the 2,200 mobile devices IT manages is the same as the security approach for internal systems. “We want to make people aware of phishing attacks,” says David O’Brien, director of enterprise technology at Karl Storz Endoskope in El Segundo, Calif.
With internal systems, the company uses a training program from PhishMe to run simulated email and social engineering scams on employees to see who bites. In some early exercises, a shocking 70% of the IT group fell for the most basic phishing scams, willingly clicking on links and entering their IDs and passwords. Those who took the bait included “my most senior IT people,” O’Brien recalls.
Of course, bad guys engage in social engineering not only via PC-based systems but also through mobile systems. No matter the medium, the ploys prey on trusting users who unwittingly click on links that download malware that crooks use to access corporate data and networks. Phishing messages opened on mobile devices can infect laptops and enterprise systems, says Stu Sjouwerman, co-founder of security training company KnowBe4 in Clearwater, Fla. He offers this simple piece of advice: “Think before you click.” The phishing exercises taught Karl Storz employees to recognize scams and provided tips on how to avoid them.
“These types of attacks will impact any device — mobile or otherwise,” O’Brien says. “In our tests, nearly 20% of our end users who failed the phishing exercise did so on their iOS devices [iPhones or iPads]. I am certain that our future tests will reveal a greater percentage of mobile device usage.”
Security is part of the corporate culture at technology giant Raytheon. About one-third of the Waltham, Mass.-based company’s 63,000 employees worldwide use company-issued smartphones and tablets, and the “human factor” is always the wild card when it comes to security, says Jon Aliber, vice president of global business services IT.
“It does come down to the individual and making sure they’re in tune to what a phishing scam looks like,” says Aliber. Raytheon uses social collaboration and blogging tools to make employees aware of newly identified phishing scams. The company also requires all employees to complete an online security training course annually.
2. The new mobile device owner
People who are getting tablets or smartphones for the first time represent a security risk because they don’t know what they don’t know.
Solution: A no-shaming policy
WellPoint gives iPads to about 500 clinicians and service coordinators who visit elderly, blind or disabled patients at home. Fowler describes most of these mobile users as “not quite technically savvy and a bit uncomfortable” using the technology.
Fowler’s team was surprised to learn that some of those employees were ashamed or afraid to tell the IT department when they had misplaced their iPads. “People would wait a day or even three days and then admit that they thought they lost it — or they were just looking for it now — and they were ‘pretty sure it has been misplaced,’” he recalls. “Sometimes we would find it had been stolen, or sometimes left at a home — and we would locate it through location services.” But the lag time put devices and sensitive information at risk.
So Fowler’s team came up with two solutions. First, to make it less likely that clinicians and service coordinators would inadvertently leave their iPads at home, IT gave them carrying bags big enough to hold their iPads and their paperwork. The staffers were also trained to call IT immediately if they thought they’d misplaced their devices. Second, to make it more likely that people would indeed call about lost iPads, IT instituted a no-shaming policy to reassure staffers that they needn’t be embarrassed about misplacing devices.
“We’re not going to yell at anybody about losing them. [IT] people know not to do that,” Fowler says. “When [clinicians] call the iPad team, people are just glad to help. There are times when we find the device is missing, but then we can initiate our security protocols.”
To reduce the risk of a breach if a device is indeed stolen, new iPad users are trained in the importance of password protection and instructed to use multiple passwords. “We go through a process of training, via online teleconferencing, not just on the device but on the importance of passwords and keeping them separate,” Fowler explains. “We also walk them through some examples of how they can get themselves in trouble.” For instance, he created fake phishing emails that illustrated how a scam might look on Facebook, and a phony bank email asking for information. The lesson learned, says Fowler, is this: “If you use similar passwords across the device, and the software we’ve deployed has . . . patient information, you could put yourself or the company at risk.”
3. The absent-minded
Most people consider their personal information to be priceless and guard it closely, but some are less careful with their employer’s corporate data and devices.
Solution: Gamification and other ‘sticky’ reminders
The Michigan state government must keep track of 17,000 smartphones and tablets used by state employees. Last year, workers lost 256 state-issued mobile devices, including smartphones, tablets and laptops.
Daniel J. Lohrmann
In the past, “training was frankly a failure here,” recalls Daniel J. Lohrmann, Michigan’s chief security officer. “It was death by PowerPoint,” he says of the one-hour presentation that he suspected few people were watching in its entirety. “So we threw it away.” Lohrmann wanted to overhaul the state’s approach to training. Users said the old program was boring, irrelevant and didn’t teach them anything. He says he had to make it brief, interactive, fun and interesting and, most importantly, find a way to “teach things that people didn’t already know.”
So the team picked a vendor to provide training that includes video-game-based lessons. Lohrmann says one of his favorite modules offers an interactive lesson on lost or stolen devices in airports. That’s an important subject; travelers left 8,016 wireless devices at just seven airports — Chicago, Denver, San Francisco, Miami, Orlando, Minneapolis-St. Paul and Charlotte — according to a 2012 airport survey by Credant Technologies, now part of Dell. Smartphones and tablets made up 45% of the wayward devices, and laptops accounted for 43%. About half of the devices were returned to their owners, and the rest were donated to charity or auctioned off, according to Credant.