5 steps to more mobile-security-savvy employees

When it comes to mobile device security, we are our own worst enemies. Despite the fact that many people have come to rely on their mobile devices 24/7, most users don’t appear to be getting any smarter about security, researchers say.

In 2012, 44% of adults were unaware that security solutions existed for mobile devices, according to Symantec’s Threat Report. That figure rose to 57% in the security vendor’s 2013 report, which was released in April 2014. Researchers say a lack of education among users is partly to blame. For example, people who move to smartphones after years of using feature phones with limited security requirements often aren’t aware of the need to install security apps.

Looking ahead, experts agree that mobile malware and scams will only increase as users pack their phones with rich and sensitive data. Those devices often also have access to corporate data because most employers include mobile devices in their arsenal of productivity tools.

Adding to our mobile security problems, the number of lost mobile devices keeps growing. According to a survey by Consumer Reports, 1.4 million smartphones were lost and never recovered in 2013, up from 1.2 million in 2012.

With so many ways to put devices and corporate data at risk, there’s no one-size-fits-all solution to mobile security. “To date there is really not a perfect way to secure a device from an employee,” says Jamisson Fowler, vice president of IT at WellPoint, an Indianapolis-based health benefits company. “They are always prone to their own sets of mistakes, and there’s not a tool out there to absolutely lock the device down.” But there are ways to make employees more savvy about mobile security.

Here’s a look at five types of employees who are prone to risky behavior, with tips on how to teach them to be diligent about safeguarding devices and data.

1. The unsuspecting

Some people are susceptible to social engineering scams and phishing attempts because they’re unaware of the dangers lurking online. How do you train them to recognize and avoid the bad guys’ ever-changing tactics?

Solution: Go phishing

Cybercriminals are always looking for the next big hack, and mobile devices are the new frontier. Attacks that proved successful on PCs are now being tested on unwitting mobile users to see what works — and with the number of mobile devices with poor protection soaring, there are plenty of easy targets. “Attackers are definitely searching for the weakest point in the chain” and then homing in on the most successful scams, says Lior Kohavi, CTO at Cyren, a provider of cloud-based security systems in McLean, Va.

At German medical device manufacturer Karl Storz GmbH, the security approach for the 2,200 mobile devices IT manages is the same as the security approach for internal systems. “We want to make people aware of phishing attacks,” says David O’Brien, director of enterprise technology at Karl Storz Endoskope in El Segundo, Calif.

With internal systems, the company uses a training program from PhishMe to run simulated email and social engineering scams on employees to see who bites. In some early exercises, a shocking 70% of the IT group fell for the most basic phishing scams, willingly clicking on links and entering their IDs and passwords. Those who took the bait included “my most senior IT people,” O’Brien recalls.

Of course, bad guys engage in social engineering not only via PC-based systems but also through mobile systems. No matter the medium, the ploys prey on trusting users who unwittingly click on links that download malware that crooks use to access corporate data and networks. Phishing messages opened on mobile devices can infect laptops and enterprise systems, says Stu Sjouwerman, co-founder of security training company KnowBe4 in Clearwater, Fla. He offers this simple piece of advice: “Think before you click.” The phishing exercises taught Karl Storz employees to recognize scams and provided tips on how to avoid them.

“These types of attacks will impact any device — mobile or otherwise,” O’Brien says. “In our tests, nearly 20% of our end users who failed the phishing exercise did so on their iOS devices [iPhones or iPads]. I am certain that our future tests will reveal a greater percentage of mobile device usage.”

Security is part of the corporate culture at technology giant Raytheon. About one-third of the Waltham, Mass.-based company’s 63,000 employees worldwide use company-issued smartphones and tablets, and the “human factor” is always the wild card when it comes to security, says Jon Aliber, vice president of global business services IT.

“It does come down to the individual and making sure they’re in tune to what a phishing scam looks like,” says Aliber. Raytheon uses social collaboration and blogging tools to make employees aware of newly identified phishing scams. The company also requires all employees to complete an online security training course annually.

2. The new mobile device owner

People who are getting tablets or smartphones for the first time represent a security risk because they don’t know what they don’t know.

Solution: A no-shaming policy

WellPoint gives iPads to about 500 clinicians and service coordinators who visit elderly, blind or disabled patients at home. Fowler describes most of these mobile users as “not quite technically savvy and a bit uncomfortable” using the technology.

Fowler’s team was surprised to learn that some of those employees were ashamed or afraid to tell the IT department when they had misplaced their iPads. “People would wait a day or even three days and then admit that they thought they lost it — or they were just looking for it now — and they were ‘pretty sure it has been misplaced,’” he recalls. “Sometimes we would find it had been stolen, or sometimes left at a home — and we would locate it through location services.” But the lag time put devices and sensitive information at risk.

So Fowler’s team came up with two solutions. First, to make it less likely that clinicians and service coordinators would inadvertently leave their iPads at home, IT gave them carrying bags big enough to hold their iPads and their paperwork. The staffers were also trained to call IT immediately if they thought they’d misplaced their devices. Second, to make it more likely that people would indeed call about lost iPads, IT instituted a no-shaming policy to reassure staffers that they needn’t be embarrassed about misplacing devices.

“We’re not going to yell at anybody about losing them. [IT] people know not to do that,” Fowler says. “When [clinicians] call the iPad team, people are just glad to help. There are times when we find the device is missing, but then we can initiate our security protocols.”

To reduce the risk of a breach if a device is indeed stolen, new iPad users are trained in the importance of password protection and instructed to use multiple passwords. “We go through a process of training, via online teleconferencing, not just on the device but on the importance of passwords and keeping them separate,” Fowler explains. “We also walk them through some examples of how they can get themselves in trouble.” For instance, he created fake phishing emails that illustrated how a scam might look on Facebook, and a phony bank email asking for information. The lesson learned, says Fowler, is this: “If you use similar passwords across the device, and the software we’ve deployed has . . . patient information, you could put yourself or the company at risk.”

3. The absent-minded

Most people consider their personal information to be priceless and guard it closely, but some are less careful with their employer’s corporate data and devices.

Solution: Gamification and other ‘sticky’ reminders

The Michigan state government must keep track of 17,000 smartphones and tablets used by state employees. Last year, workers lost 256 state-issued mobile devices, including smartphones, tablets and laptops.

In the past, “training was frankly a failure here,” recalls Daniel J. Lohrmann, Michigan’s chief security officer. “It was death by PowerPoint,” he says of the one-hour presentation that he suspected few people were watching in its entirety. “So we threw it away.” Lohrmann wanted to overhaul the state’s approach to training. Users said the old program was boring, irrelevant and didn’t teach them anything. He says he had to make it brief, interactive, fun and interesting and, most importantly, find a way to “teach things that people didn’t already know.”

So the team picked a vendor to provide training that includes video-game-based lessons. Lohrmann says one of his favorite modules offers an interactive lesson on lost or stolen devices in airports. That’s an important subject; travelers left 8,016 wireless devices at just seven airports — Chicago, Denver, San Francisco, Miami, Orlando, Minneapolis-St. Paul and Charlotte — according to a 2012 airport survey by Credant Technologies, now part of Dell. Smartphones and tablets made up 45% of the wayward devices, and laptops accounted for 43%. About half of the devices were returned to their owners, and the rest were donated to charity or auctioned off, according to Credant.

The training module presents statistics about devices lost in airports and follows up with steps people can take to avoid misplacing their gadgets. Then the fun begins. Users assume the role of a Mario-type character in an online game, and they have 90 seconds to find 12 lost or stolen mobile devices in an airport based on the information they just learned. The user-controlled character runs through the airport — complete with check-in counters, a food court, a security conveyor belt and trams between terminals — and there’s a rewarding “ding” for every device the user finds. “Nobody ever gets them all the first time, and they want to play it again,” Lohrmann says.

The state of Michigan is rolling out that training module now, and Lohrmann expects that employees will be as impressed as he was.

“It’s ‘sticky.’ For me, I can’t go to the airport without thinking about that game,” he says. The training module “is doing something that’s going to change people’s behaviors.”

4. The tech genius

Tech-savvy end users can be a security nightmare — especially if they know how to reconfigure their smartphones to give themselves administrator-level privileges.

Solution: Outsmart the smarties

Malware can do a lot of damage on devices that have been altered at an administrative level. And Gartner predicts that by 2017, 75% of mobile security breaches will be the result of misconfigured applications.

Karl Storz takes this threat seriously. “We are an engineering company, and people are tech-savvy here,” O’Brien says. Since smartphones are issued by the company, “I haven’t seen [users reconfiguring their phones], but they could. The information’s out there, and IT can’t contain it.”

The most common platform compromises are “jailbreaking” on iOS devices or “rooting” on Android devices, according to Gartner.

These actions escalate the user’s privileges on the device, essentially turning a user into an administrator. They allow users to access certain device resources that are normally inaccessible, and they put data in danger by removing app-specific protections and the safe “sandbox” provided by the operating system. They can also allow malware to be downloaded to the device and open it up to all sorts of malicious actions, including extraction of enterprise data. These compromised mobile devices are also vulnerable to brute-force attacks on passcodes, according to Gartner. The best defense is to keep mobile devices locked down with mobile device management tools and policies, Gartner says. Security can be enhanced further with app shielding and “containers” that protect important data.

IT security leaders also need to use network access controls to block connections back to enterprise systems for devices that exhibit potentially suspicious activity. Raytheon keeps potentially rogue employees in check by making them acknowledge that they are aware of corporate use and behavior policies. “If they go off and do things on their own . . . they understand that they are violating company policy, and it puts them in an unenviable situation,” Aliber says.

Such policies are part of wider data security strategies that also include using device management software to control configurations, and storing data in the cloud instead of using mobile device storage.

5. The oversharer

Some employees share too much information on social media. Others are too willing to let friends and relatives use their devices.

Solution: Close the loophole

Thanks to the rise of social media, organizations that hire lots of young people find themselves dealing with employees who share an unprecedented amount of information publicly — and the implications of this trend are just beginning to emerge. With a social-media-savvy generation entering the workforce, it’s going to be interesting to see how companies handle their sensitive data, says Chris Silvers, principal at C G Silvers Consulting, an Atlanta-based IT security consultancy. “There’s so much information already out there — you just can’t go get it back,” he says.

Employees who share too freely on social media sites become easy targets for scammers who pretend to be co-workers or other acquaintances and try to persuade them to share credentials, passwords or company information.

“Anytime people tie social media to events or work email addresses, it’s a threat” to company data, says Chris Hadnagy, chief human hacker at Social-Engineer Inc., a training and consulting firm. “We find people who use their corporate email addresses for LinkedIn and Facebook. [Scammers] can search these online and then go to posts, blogs, forums where they’ve posted — to find personal things. Those are all vectors” for social engineering scams.

Again, education is key. “Employees need good education to realize that if you have personal stuff out there, then don’t trust everything that comes in” on social media sites or emails, Hadnagy says.

He also suggests setting policies for social media use at work. If it’s allowed, then employees should create work accounts and personal accounts. “Can you still find them on LinkedIn? Sure, but at least that’s one degree of separation,” he says.

Oversharing can also come in more innocent varieties. Lohrmann points to parents who entertain their kids by letting them play games and watch videos on company-owned smartphones or tablets — leaving the devices susceptible to damage or, worse, unauthorized access by hackers lurking on questionable websites. To avoid such scenarios, employers should have written security policies that prohibit use of company-owned devices by friends and relatives.

At the end of the day, IT security leaders say it’s all about balancing flexibility and productivity. “We do allow some flexibility in terms of what we allow people to do” on their mobile phones, says Aliber, noting that some downloading of apps is OK. “But when it comes to protecting company data, there is no flexibility. It’s a managed environment. We’re balancing the need for productivity and the need to help grow the business.”