Mobile technology has blurred the line between an employee’s work life and personal life. Employers and employees both benefit when workers have greater flexibility and control over their time. Yet the technology that enables that control can expose an employer’s information systems to an increased risk of a cyberattack and data theft. For example, a 2016 cybersecurity report indicates that nearly 20 percent of all corporate data breaches originated through an employee’s use of his or her own device outside of a regular work environment.
Employer Policies
Employers will not readily revert to prohibiting employees from using their personal devices for work purposes or from doing work outside of the office. In order to protect their networks and systems, however, those employers will need to implement more robust training and technology to confirm that cybersecurity policies that apply to the employer’s systems and assets will extend to all mobile technology, including personal employee devices.
Image courtesy of Blogtrepreneur.
Cyberattack Defense
Protection against malicious mobile apps is the first level of defense. Employers have enterprise-level control over devices that they own. The control allows them to limit the apps that are loaded onto those devices. This control is absent from employee-owned devices. An employee may load apps onto his or her own device that carry malware or other code. Hence, the code enables a hacker to use the personal device as a conduit into the employer’s systems when the employee uses that device to access those systems. To guard against this malware, employers should implement endpoint and network security solutions that impose more stringent standards on network login attempts when those logins come from an employee’s personal device.
Best Practices
Apart from technology solutions, employers can develop and impose detailed policies for employees’ use of their own devices for work purposes. Those policies can include some or all the following practices:
- Partition personal devices with mobile device management technology to insert a barrier between work and personal use of those devices;
- Limit use of personal devices for work only to employees who have a higher need for that use;
- Require employees to register personal devices that they intend to use for work purposes, and actively monitor the usage of devices on that register;
- Establish mechanisms and standards for remote data wipes, including protocols for notifying employees when work-related data can be wiped from a personal device;
- Limit access to employer networks only to personal devices that are on an approved list of safe technologies (e. electing a “choose your own device” over a “bring your own device” policy);
- Require employees to use complex passwords and to change those passwords frequently for all apps installed on personal devices that are used for work.
Case For Insurance
Within these policies and procedures, employers will continue to need to recognize that even the most robust cyber security solutions will not provide perfect protection against a data breach, regardless of whether that breach originates with an employee-owned device or otherwise. Mobile devices can be lost or stolen, or an employee might inadvertently connect to a corporate network through an unsecured wifi hotspot. Cyber security insurance is the final layer of defense that an employer can adopt for those times when its other technical defenses fail.
This is particularly true for small and medium sized businesses, which are becoming more popular targets for ransomware, phishing, and other types of cyberattacks. A single cyberattack on a small business can wipe out one or more a year’s worth of profits. Potentially, this can drive the company out of business. Employees need to understand that their jobs will be at risk if they do not follow good cybersecurity practices. Therefore, it’s critical their employers adopt provisions to recoup losses that flow from a successful cyberattack.
