Symantec’s Robert Arandjelovic looks at the security risks of employees using their personal devices for work purposes.
We’re in the midst of the biggest shift in working practice that has ever taken place. Everything from the gig economy, to digital nomadism, to remote working is altering our approach to work. This isn’t an emerging trend anymore. It’s now a reality in most organisations, and while many foresaw the IT challenges, the security consequences are finally becoming evident.
The ability to work flexibly or remotely is expected by most workers, but this comes with a weight of expectation from the employer. The social implications of these expectations have already made their way into legislation. Out of hours working became such a contentious issue in France that the country introduced a law that gives workers the right to disconnect from work emails at the end of the working day. But now, the security implications of this new normal are making their presence felt.
Over half of Europeans (58 percent) say they have accessed work through a personal device before or after their working day, according to research commissioned by Symantec. Today, four out of five Europeans use their own mobiles, laptops, tablets for work, rather than one supplied by their employer. Whilst over half of those use it inside the workplace, nearly three quarters said they use them outside of work.
Whilst using personal devices for work isn’t a new concept, the security of these devices is all too often left in the hands of the individual. But all too many are not holding up their end of the bargain. Only half of European employees use updated secure devices. This means that many are leaving these personal devices used for work vulnerable to malware. With a growing number of devices being thrown into the mix, there’s a danger that the problem could worsen.
Whilst expectations around where and when work is done no longer span 9am to 5pm, some areas have yet to catch up. Most companies still have security and management principles founded in the old world. Many are choosing to dismiss “unauthorised” device or application usage as being outside of their remit.
Personal device, corporate headache?
Use of personal devices has often been a grey area for companies. Regardless of their efforts to tie employees to set devices or applications, or limit access for personal devices, employees often persist in using the devices and applications most convenient for them. And because of executive endorsement and proven productivity benefits, many IT departments are conflicted when it comes to blocking this usage, or finding ways to securely enable it.
Employees unhappy with the speed at which their companies approve new apps or the functionality of official work apps often go under the radar. Commonly referred to as shadow IT, employees end up installing apps or use devices that the IT team hasn’t approved, and is often completely unaware of. And how can a firm secure the use of software or devices they know nothing about? It leaves a security shortfall where IT departments aren’t tooled up to sweep up after their workers.
The fundamental challenge here is that workers are happy to leave the security of their personal devices to chance, and it is resulting in a significant security risk to the organisation. Only one in six (18 percent) workers ensure their security settings are automatically updated. This reveals a significant security risk, 82 percent have to regularly update their security settings manually. Worst of all, one in eight (13 percent) respondents don’t even know the security status on their devices. Not surprisingly then, only half (52 percent) of employees who have used a device in Europe could confirm the security software on both personal and work devices is up-to-date at all times.
Time for change
These days the consequences are too great to gamble with. Cyber risk is increasingly being discussed as a strategic issue, all the way up to the boardroom. Data breaches or outages in service caused by vulnerabilities – including those presented by poorly secured devices – have far reaching impact. Whether it’s falls in share price, regulatory fines or simply dealing with the technical and business disruptions, all are costs likely to make your CFO blanche.
For a long time, data risk was viewed as the cost of doing (flexible) business, but today that’s simply not true. Endpoint protection, matched with a strong cloud security fabric creates an integrated cyber defence system that works across both work and personal devices. This will make sure that firms are covered from all angles, so the onus isn’t solely on the employee to protect corporate data on their personal devices.
This shifting of workplace boundaries will only accelerate. Per recent estimates, by 2020 over half of the workforce is expected to consist of freelancers and contractors. The technology is readily available to help companies to secure their entire networks – even when accessed by personal devices.
The challenge then, is to shift those preconceived notions about how security works. A company no longer resides within the four walls of the office and working hours are no longer between nine and five. Our relationship with work, and with technology is not what it once was. Security needs to follow suit.