Some 43% of employees have been targeted with work-related phishing attacks on their personal devices, says a survey from SlashNext.
Employees might feel more comfortable using personal devices for work and even save the company money in doing so, but there is a costly trade-off: security.
A report released on March 30 by cybersecurity provider SlashNext explored how employees’ use of personal apps and devices can open the door to security threats, revealing that 43% of employees have been targeted with work-related phishing attacks.
For SlashNext’s The Mobile BYOD Intelligence Report, the company surveyed 300 individuals about the use of personal devices for work, how employers balance security and employee privacy with the popularity of Bring Your Own Device, and the resulting gaps in cybersecurity. The recipients included security professionals and employees across organizations with more than 1,000 workers in North America.
Reasons why BYOD is increasing
Right off the bat, the survey found that the use of personal devices for work has been increasing. One reason for this is convenience. As more people work remotely or adopt a hybrid approach, employees want to be able to do their jobs from anywhere and at any time, which often requires that they use their own PC or mobile device.
Another reason for BYOD is comfort. People are already familiar with their own devices and apps, which lessens the learning curve involved in using a different, company-issued device.
How employees use personal devices for work
Amid the rise in BYOD, these are the three most common work-related tasks that people perform on their personal devices, according to SlashNext’s survey (Figure A):
- 66% of the employees use their personal texting apps for work.
- 59% use their personal and private messaging apps for work.
- 57% sometimes use their work email for personal reasons.
The survey also revealed that 85% of employers require work-related apps to be installed on their employees’ personal devices.
How BYOD can lead to security threats
The downside here is that this blurring of personal and work devices and use can easily lead to security threats. Among those surveyed:
- 71% said they store sensitive work passwords on their personal phone, opening the door to compromise.
- 43% of the employees have been the target of a phishing attack on their personal device.
In response, 95% of the security professionals surveyed said that phishing attacks delivered via private messaging apps are a growing concern.
“Most enterprises support some form of BYOD, which brings a consumer-level hack into the realm of an enterprise being compromised,” said Bud Broomhead, CEO at cyber hygiene firm Viakoo.
“Ensuring that employees are not using personal passwords in their work environment can help to reduce the possibility of compromise, however, the blurred lines between work life and home life are making it easier for cyber criminals to perform exploits aimed at enterprise systems and data.”
How BYOD can lead to control and privacy challenges
The use of BYOD can also trigger control and privacy issues. For instance:
- Do IT and help desk staff have the freedom and responsibility to enforce company policies on personal devices? If so, how do they make sure those devices are configured and updated to adhere to security best practices?
- Are there legal and compliance issues involved in storing sensitive work data on personal devices, especially if such devices are ever lost or stolen?
Among the security pros surveyed, 90% said that protecting the personal devices of employees is a top priority. However, only 63% said that they have the right tools to accomplish this. In addition, 89% of them said that they have legal concerns about having access to the private data of employees.
Possible solutions to these BYOD security challenges
With many threats targeting mobile devices, 81% of security pros believe that security and privacy issues can be addressed by giving employees a separate phone just for work. But even with two phones, many employees still use their own device for work tasks, which actually doubles the attack surface for cybercriminals to exploit.
One way to deal with this might be to establish a policy to govern the use of both a work phone and a personal phone.
Security training is often touted as another way to prevent attacks, by teaching employees how to avoid them. However, 98% of security professionals surveyed said that, even with regular training, employees are still vulnerable to phishing attacks and other threats.
Security training is a good starting point, according to Broomhead. But beyond the basic training, employers should have a way to test or audit employees to make sure the instructions they receive are actually being followed. Further, organizations with IoT devices need to keep them on separate networks and ensure that they’re updated with the latest security fixes, Broomhead added.
“The good news is this is not an unfamiliar situation,” Broomhead said. “Enterprise IoT devices typically operate on networks not managed by corporate IT, and the best practices from IoT security directly apply in work from home situations.”