A ‘culture of carelessness' among UK corporate mobile device users has been revealed by a new survey, which also caught out people unwittingly logging on to an ‘evil twin' WiFi hotspot so their passwords and banking details could be stolen.
The Trend Micro/Vision Critical survey of 2,500 people in the UK found that nearly six in ten (57 percent) don't have a password lock on their device – the most common form of security protection. Even among those people using their device solely for work, only 54 percent use a password lock.
Meanwhile more than a quarter (27 percent) of respondents have had up to three mobile work devices lost or stolen – and over half of victims (52 percent) were out drinking when they mislaid their mobile.
The researchers also ran an ‘evil twin' experiment at busy commuter spots in central London to show how easily mobile devices could be hacked for their data. They teamed up with Dr Chris Brauer, founder of the Centre for Creative and Social Technologies at Goldsmiths College London, and ethical hackers from First Base Technologies to set up a WiFi hotspot masquerading as a legitimate site and test the reaction of those people caught out.
The researchers found that none of the people involved knew anything about ‘evil twin' hotspots before, nor that they could be used to skim data from people connecting to them. Their reactions ranged from ‘scared' and ‘paranoid' to ‘invaded', ‘criminal' and ‘embarrassing'.
The survey is concerning for CISOs because 20 percent of the respondents use their smartphone for both work and personal purposes and 24 percent use a laptop likewise – yet most people were unsure how to protect the data on their device if it was lost or stolen. A total of 29 percent did not know what to do and 27 percent weren't sure.
To address this, Trend Micro security adviser Mick Paddington said security professionals need to tackle the human behavioural problems of people using mobile devices, as well as simply securing the technology.
He told SCMagazineUK.com: “To mitigate the risk of these devices causing issues they need to educate their users, make them aware of the risks involved. Because whilst you can put a lot of the technology in place to mitigate that risk – whether it's encryption or secure passwords - it's still down to human behaviours as to how these devices are being lost.”
Paddington said a key problem is that “whilst we teach people how to use the technology we don't tell them the risks in using that technology”.
He also said user education needs to be followed up to confirm people have got the message. “The education piece is probably there but it needs monitoring and testing. The education is taking place, but the testing of whether it's effective isn't.”
Meanwhile, a US survey has found similar issues with BYOD and mobile device usage. According to the joint Ponemon Institute/Zix Corporation ‘BYOD Security: A Fresh Perspective' survey of around 900 IT and IT security specialists, more than 60 percent say their companies support BYOD – but 46 percent of those companies do not use tools or policies to protect corporate data.
In addition, 60 percent of respondents are unsatisfied with their current BYOD solutions, mostly due to cost and inadequate security.
Dr Larry Ponemon, chairman of the Ponemon Institute, said: “The speed at which BYOD took hold of the business community is unlike any technology trend we've seen before. Companies are swiftly adopting BYOD to enable work productivity and create efficiencies but are hitting significant road bumps in cost, security and employee concerns. The evolution of BYOD solutions to overcome these challenges is necessary for full adoption across companies and among the entire employee base.”