Employee carelessness poses security risk to businesses

published 21 November 2013

Sensitive business data is being put at risk by the thoughtless behaviour of employees, a new report by Trend Micro has found.

The survey of 2,500 UK adults, published in a report entitled Britain's culture of carelessness with mobile devices, found over a quarter of smartphone users have had up to three work devices lost or stolen, and 63 per cent have no password protection on their phone at all.

The Tube is the most likely place for a phone to be lost or stolen in London (26 per cent), with the District and Circle lines proving to be particular blackspots.

A bar is the second most likely place for a smartphone to disappear (22 per cent), followed by a cafe (11 per cent) and a restaurant (8 per cent), according to the report.

At a roundtable to discuss the report's findings, representatives from Trend Micro, information security consultancy First Base, and law firm Taylor Wessing said the implications were clear for business.

James Walker, a security specialist at Trend Micro, said: "We talk about a watering hole from the point of view of compromising a website, [but if I were a criminal] I could know a bar where a certain target organisation would drink in after work, I could steal a mobile phone that's not password protected, send out a lot of phishing emails to lots of contacts within the organisation... and compromise a lot of people."

Vinod Bange, a partner at Taylor Wessing, added: "If you have an employee within an organisation who kept going to the accounts team and saying can I have 300 from petty cash please?' and came back the following day saying I lost it, can I have another 300?' and then the next day said sorry, I did it again, can I have another [300]?' Who would do that?

"That is because cash is treated in a very particular way and it is about time organisations drew that link to treat information assets, whether it's personal data, confidential IP, or whatever it happens to be with the same degree of [restrictions]."

The report also examined the potential for data loss when using public Wi-Fi hotspots.

A team of ethical hackers from First Base used apps that were openly available on Google Play to clone a recognised Wi-Fi network, which volunteers' devices would then connect to automatically.

A hacker using this type of attack, known as an evil twin', is then able to see all the data sent, including sensitive corporate data and things that would normally be encrypted, like passwords. They could also restore sessions, to further mine data collected during the attack.

The volunteer victims' involved in these experiments said they felt scared that such an attacking method exists and that their privacy had been violated, even though it was just a simulation.

Jane McCallion is Managing Editor of ITPro and ChannelPro, specializing in data centers, enterprise IT infrastructure, and cybersecurity. Before becoming Managing Editor, she held the role of Deputy Editor and, prior to that, Features Editor, managing a pool of freelance and internal writers, while continuing to specialize in enterprise IT infrastructure, and business strategy.

Prior to joining ITPro, Jane was a freelance business journalist writing as both Jane McCallion and Jane Bordenave for titles such as European CEO, World Finance, and Business Excellence Magazine.