Out of sight out of mind? The nine-to-five IT security myth

Symantec research study shows only half of European employees use updated secure personal devices at work.

Symantec today reveals YouGov research on the phone security habits of over 3,000 office workers in Great Britain, France, Germany, Spain and the Netherlands.

The research examines the attitudes and behaviours employees demonstrate towards personal devices used for work, highlighting the need for immediate action from IT Security for employees and employers.

The study finds that organisations are exposed to IT Security risks due to a lack of employee awareness of the security implications of using their own personal devices or phone for work.

European businesses and their assets are regularly under threat as almost three in four (72 per cent) of British office workers use personal devices for work.

Remote workers reveal ‘roll the dice’ attitudes to security updates

The research shows that organisations which expect employees to maintain security on their personal devices to the same standards as office IT systems are setting themselves up for failure.

Only 15 per cent of British employees ensure their security settings are automatically updated.

This reveals a significant security risk, as the other 85 per cent of users have to update their security settings manually.

Worst of all, one in eight (13 per cent) respondents don’t even know the security status on their devices.

Not surprisingly then, only half (54 per cent) of British employees who have used a device could confirm the security software on both personal and work devices is up-to-date at all times.

Despite not having the additional protection of network security, things do not improve much for those who work remotely.

German respondents set the standard by demonstrating better security behaviour when working remotely, than those who work in an office. Some 70 per cent of remote workers in Germany fully secure their technology compared to 66 per cent of German office-based workers.

By contrast only 59 per cent of British and 58 per cent of French remote workers maintain their security settings at all times.

Androids and millennials present the biggest threat

Thanks to the variety of devices on which the operating system works, Android is a very attractive option for employees. However, due to its popularity, this also means Android is a popular target for cyber criminals.

The survey confirms Android is the most commonly used smartphone operating system for European workers, some 37 per cent of respondents use Android devices to do work, double the penetration which Apple has in the corporate environment (18 per cent).

The difference shrinks to a 6-percentile gap in the UK, with 23 per cent using an Android phone and 17 per cent Apple

This poses an issue for employers as Android devices are regularly targeted by malware. Spain is the country where Android is most popular for work at 58 per cent. Meanwhile the Netherlands is the most popular for Apple phone users at 24 per cent.

Millennials favour mobile devices for work, making them the most dangerous age group to cause potential exposure of corporate data.

Nearly all (88 per cent) of British workers under 24 use their own personal devices for work rather than one supplied by their employer. Workers over 45 are twice (29 per cent) as likely to use corporate sanctioned devices for work.

25 – 34 year old phone users were most likely to ignore their organisation’s security policies, less than a third (29 percent) agree that they’d obeyed all employer instructions around phone and technology usage for work.

Perimeter security is not enough

More than a third of those surveyed, 36 per cent, use personal devices inside the workplace. Half (53 per cent), admit using personal devices outside of the workplace to do work. Since these are personal devices, they are unlikely to carry robust enterprise endpoint or other methods of securing mobile workers, which can protect employees outside the office.

The survey data shows before and after work to be the most vulnerable times of the day for corporate networks, more than half of British employees (57 per cent) say they have accessed work through a personal device before or after their working day.

Clearly, securing the workplace during office hours is necessary, but relying on an office network security perimeter alone is insufficient when employees typically log onto work systems outside of office hours on personal devices.

While location and time matter a great deal to workers, what matters most is the security policy of their employer. Integrating security capabilities across the network, endpoint, and cloud provides protection throughout the day, wherever in the world the sun is setting.

‘Follow-the-sun’ security with integrated cyber defence

Robert Arandjelovic, director of security strategy at Symantec, says, ‘This research unveils an uncomfortable truth – traditional security that only spans the corporate network and IT supplied computers are leaving their organisations exposed.

‘Organisations can expect users to ignore best practices when it comes to security on their personal devices. Only a third of workers polled follow their employer’s advice on IT Security, meaning two-thirds break out of the confines of corporate best practices.’

He continues, ‘Employers have an important role in educating employees, but should also leverage technology to better protect them. To minimise the risk of bad behaviour, intentional or not, organisations need to consider an Integrated Cyber Defence that works across both work and personal devices accessed at any time, in any location, and on any network.

‘This involves powerful endpoint protection coupled with strong cloud security fabric covering work and personal devices, regardless of where they are, who owns them, and what software may be installed.’

Symantec technology can help organisations to maintain IT Security discipline in the workplace, as well as remotely, on work-provisioned and personal devices.

For those who are concerned about the issues raised in this survey, Symantec recommends the following which may help:

For employers

· Provide training and regular communications to employees to improve user awareness of the potential risks of using unsecured personal devices for work, as well as best practices for the safe use of such devices.

· Securely enable the incorporation of personal devices into the organisation’s security policy.

· Be ready to compensate for gaps: there will likely be occasions where users will attempt to use devices that don’t meet minimum security capabilities. Combining endpoint security solutions with robust cloud-based security can provide organisations with complete protection for users accessing corporate resources and data, regardless of what device, network, or country they are connecting from.

For individuals

· Many devices come with a variety of apps and services that are enabled by default. Research the specific capabilities, security features and privacy agreement of these apps and services, then disable those that may present security risks.

· Modify the default privacy and security settings of IoT devices but also be careful when installing unverified applications from unknown sources.

· Use a strong encryption method, such as WPA2, when setting up Wi-Fi networks. If possible use wired connections instead of wireless.

· Regularly check the manufacturer’s website for firmware updates: Install updates as soon as they become available and, if available, enable automatic updates.

· Set aside time to work with your organisation’s IT team for advice or to review the security settings on your personal device, helping to protect yourself and your employer.

Further reading on phone security

Owen Gough, SmallBusiness UK

Owen Gough

Owen was a reporter for Bonhill Group plc writing across the Smallbusiness.co.uk and Growthbusiness.co.uk titles before moving on to be a Digital Technology reporter for the Express.co.uk.

Related Topics

Data Security