How Employees Become Pawns for Hackers

Employees are the greatest security risks, especially since they are prone to be used as pawns for hackers. That’s why they are vulnerable to attacks.

Mobile technology has changed the landscape of business these days. It has enabled employees to set up virtual offices, have more work flexibility, and even extend working on their own devices from mobile phones, tablets, and laptops—all of which were seen as increases to one’s productivity.

In fact, the BYOD (Bring Your Own Device) trend is widely accepted and part of most technology-run businesses. While this has certainly brought advantages, it also poses risks, particularly when it comes to security for your business.

Employees are your greatest security risks, especially since they are prone to be used as pawns for hackers. Here are some ways they are vulnerable avenues for hacking:

1.     The scope of security doesn’t extend to all devices.

IT support can only do so much, such as restricting certain access points to your network, but they wouldn’t be able to control and prevent security issues on devices themselves

Take for example, the latest news about Samsung Galaxy phones having a massive security flaw and ninety-five percent of Google Android phones open to an attack because of a tool installed by default in their products.

These bugs in mobile devices have “remote code execution” triggers, where they can write code to the device and steal data for phone sections that can be accessed by those apps. What’s even scarier? It triggers before you even receive a notification, and as of this writing, several mobile phone companies haven’t confirmed if they have deployed security updates yet.

2.     There are software that may be installed in devices that you wouldn’t be able to control.

One security risk for BYOD is not having full control of the software or applications your employees can install. When IBM implemented the BYOD policy in 2010, they realized that most employees’ mobile devices and laptops were full of software it couldn’t regulate.

And let’s be honest, when an employee uses his own laptop or device for work, there’s a hundred percent chance that he’s also using it for personal purposes and someone other than him might be using it too.

You wouldn’t be able to impose exclusivity, and when this happens, you’re also opening your organization’s network and information for an opening for data breaches.

3.     Employee negligence and lack of compliance.

According to a 2011 study by the Ponemon Institute, 39% of all data breached involved employee negligence, and 37% of data breached involved a malicious or criminal attack.

Employee negligence—whether deliberate or accidental, allows hackers to identify openings for a data breach or hack. For example, employees that have their office mail installed in their smartphones and use them to create open Wi-Fi hotspots are exposing their company’s confidential information for eavesdropping.

The 2012 iPass Mobile Workforce Report also said that only 55% of workers who use mobile devices they surveyed enabled remote wipe on their smartphones in case it gets lost of stolen; those using their tablets scored even lower with 30%.

Lack of compliance is also a big issue, even without considering the BYOD policy. For example, 25% of those employees surveyed do not follow their IT security’s requirements when it comes to their smartphones, and 12% do the same on their tablets.

Most of the time, mobile employees do not even bother logging into virtual private networks required and set up by IT security to do work and just log on to the Internet the usual way.

Employees are your biggest security risks

Mobile technology has indeed given employees more freedom and flexibility in their work and studies have repeatedly affirmed that it has also caused an increase in their productivity. However, it also has blurred lines between personal and workspaces and increased the vulnerability of your organization when it comes to compromising your network.

It is not a bad idea—but first and foremost, it should be part of your organization’s security strategy. As with all policies, never implement one without first fortifying your network, developing a solid plan on implementation, mitigation and recovery, and ensuring strict compliance.

About the Author Vladimir de Ramos

Vladimir de Ramos has been in the IT industry for more than 22 years with focus on IT Management, Infrastructure Design and IT Security. Outside the field, he is also a professional business and life coach, a teacher and a change manager.

He is a certified information security professional, a certified ethical hacker & forensics investigator and a certified information systems auditor.

Check out Vlad’s IT community here: http://www.aim.ph/

Edited by Pierluigi Paganini

(Security Affairs – Employees , Security Awareness)