Securing enterprise mobile solutions is one of the top priorities for businesses. From MDM to MCM, enterprises cut no corners to implement enterprise mobility management solutions. Despite their efforts, however, there’s one security threat they can’t effectively curb: careless employees.
- 75% of large enterprises suffered staff-related security breaches in 2015. Human error was the cause of half of the worst breaches. (Axelos)
- Humans are the biggest cause behind attacks on mobile and social media platforms. Naive targets are easily lured through social engineering tactics. (Proofpoint)
- Majority of employees across Great Britain, France, Germany, Spain and the Netherlands don’t understand device security. Of the 72% using their personal devices for work, 85% manually update their devices’ security settings and 13% have no idea whether or not their devices are secure. (Symantec)
- According to 33% of CIOs, employee’s lack of knowledge on data security is the biggest security risk their organizations will face in the next five years. (Robert Half)
How Your Staff is a Threat to Enterprise Mobile Solutions
There are several employee behaviors which can endanger the security of your enterprise apps, even in the absence of malicious intent.
Bringing Shadow IT to the Workplace
Shadow IT is a term describing IT solutions created and/or used within enterprises without their authorization. By bypassing IT departments and adopting unauthorized apps, business users can cause data loss or leaks, create inconsistent and duplicate content, waste resources, and compromise IT security. These issues bleed a company’s resources and compromise its relationship with clients.
Clicking on Phishing Scams
Though the concept of phishing is far from new, people still fall for phishing scams. Several incidents in May 2017 proved this, including the phishing emails sent to Gmail accounts to gain access to their contact lists and Drive data. Interestingly, self-proclaimed tech-savvy individuals are 18% more likely to be victims according to CBT Nuggets. However, what makes this threat a cause for worry is 40% don’t care about phishing, are too lazy, or are the least bothered to abide by online security recommendations.
Reusing Passwords and Login Credentials
Hackers infect mobile devices with keylogger malware to record users’ keystrokes and, ultimately, gain access to enterprise apps’ valuable data. They can then use the captured credentials to attack different resources, especially network resources secured by an organization’s firewall. According to Digital Shadows, 97% of Forbes 1000 businesses took a hit when their valuable credentials were exposed. This was mainly caused by employees using the same login details across multiple websites and platforms.
Using Work Devices for Personal Reasons
According to CompTIA Information Technology Association, 63% of employees use work devices for personal reasons. 94% connect their devices to public Wi-Fi networks. Due to these habits, a different study states 3% of employee mobile devices are infected with malware. What makes these statistics scary is the fact businesses haven’t done anything to counter their causes. In fact, CompTIA’s study states enterprises tend to overlook employees’ dangerous mobile usage behaviors.
How to Mitigate the Risks Employees Pose
When it comes to the security of enterprise mobile solutions, prevention is better and much simpler than a cure. Here are a few surefire precautionary steps you can take to protect your apps and business’ valuable data.
Create Enterprise Mobile Solutions that Benefit Your Employees
To combat shadow IT, you need to understand why your employees prefer using third party apps at your enterprise. In most cases, employees prefer consumer-facing apps over custom corporate apps simply because they’re easier to use. To prevent your employees from seeking alternative apps, design enterprise mobile solutions they’d want to use. You can even save time and money on this process by opting for zero-code enterprise app development platforms.
No-code solutions provide a drag-and-drop platform for users to design applications. This makes them the simplest to use, allowing virtually anyone to create a working enterprise app. To get the most value, though, make sure to select a solution offers the following.
- Pre-Built Components – Instead of investing time, money, and human resources in writing code, you can configure out-of-the-box components. For instance, you can connect your app to the enterprise’s database layer or web services by configuring the Connectors feature in Miracle Mobile. In addition to dramatically speeding up the app development cycle, these components support experimental app development.
- Responsive Business Applications – In addition to allowing you to mobilize forms, no-code platforms can be easily configured at the component level according to business needs. For instance, the ‘Submit’ button in an inventory form can be configured to send multiple versions of the form to different departments. Sales will receive monetary details of the transaction whereas shipment will get the recipient’s address as well as details of the product(s) shipped. This allows apps to be re-purposed in different ways, guaranteeing higher ROI.
- Mid Execution Updates – Workflow-centric apps are essential for today’s businesses. However, they’re triggered by events. To change the apps frequently and quickly, zero code platforms can be helpful. As most of these are business process platforms, they allow even business people with no app development expertise to update apps on the fly. This, in turn, prevents processes from being affected, especially mid-execution.
- Multiple Customer Support Channels – Some no-code app development platforms can be too complex for non IT users. In that case, your employees should be able to get the support they need. In addition to online access to user guides, top platforms provide email and phone support. Citizen developers can easily contact the platform’s representatives and get the help they need instantly.
Train Your Employees on the Best BYOD Practices
Lack of training is one of the biggest causes of employee-caused breaches. According to a survey by Ponemon Institute and Fasoo, 56% of 637 U.S. IT security practitioners admitted their organizations don’t educate employees on basic security methods. As a result, they’re at the risk of losing their companies’ assets, money, and customers.
There are a number of ways to introduce security best practices to your employees, including lessons, seminars, and quizzes. Whichever you choose, always incorporate the following tips.
- Encourage Questions When in Doubt – As comprehensive as your training may be, keep in mind there are new threats almost daily. So, urge your employees to ask you about suspicious links or strange files. While you may be tempted to tell them to discard such links and files, having them ask IT support is always a better option. For starters, you’ll learn about new threats possibly targeting your organization and improve your training sessions.
- Ask Employees to Speak Up Rather than Hide their Mistakes – Instruct your employees to inform IT if their devices are compromised rather than keep quiet about it. This will ensure prompt response to minimize damage. Certain signs victims should be on the lookout for include; slow performance, new and unexplained files or icons, and strange popups.
- Motivate Employees to Go Beyond Your Security Training – In addition to the training campaigns your enterprise provides, urge your employees to learn about security on their own. Explain how their efforts will help reduce employee-induced security issues.
Establish a Robust BYOD Policy
Despite deploying enterprise mobile solutions, many businesses don’t have a BYOD policy to support them. If you’re yet to create this document, here are some tips to help you out.
- Specify Which Devices Employees Can Use – Decide which devices your employees can actually use for work purposes. The list you create should be very detailed to include device models, operating systems, etc.
- Enforce a Stringent Security Policy – Employees may resist using complex passwords as they see them as a hurdle to easily access content. However, you need to enforce this and other security measures as there’s a lot of sensitive information on employee devices.
- Establish Service Boundaries – Define a robust service policy for the devices matching your BYOD criteria. Determine the level of support available for initial connections to your network from these devices. Moreover, decide on the level of support provided for broken devices and installed applications.
- Define Who Owns Apps and Data – In certain scenarios, you’ll be prompted to wipe and reconfigure an employee’s device. In the process, all content on the phone will be erased, including personal pictures and paid applications. In some cases, this content can’t be replaced. So, make it clear you have the right to wipe devices brought onto the network under your BYOD plan. Also guide your employees on how to secure their content and create backup for it if their devices are wiped.
- Decide Which Third Party Apps Your Employees Can Install – Whether a device is a corporate-issued or personal, you can specify which apps to include when connecting to your environment. Your policy should detail which applications present security or legal risks to devices that have access to sensitive corporate resources.
- Include an Acceptable Use Policy – Before allowing personal devices to connect to your VPN, you need to address employee doubts on which activities may and may not be permitted. For instance, you can stop device users from browsing certain websites while using the VPN.
- Plan What to Do if an Employee Leaves Your Enterprise – You need to have an employee exit strategy in hand to remove proprietary applications and information. Your BYOD strategy should include a clear methodology for removing corporate data and backing employee personal information.
Consider Implementing Single Sign On for Mobile
Password management is one of the most pressing enterprise mobility priorities. Single sign on (SSO) can ensure better security and simplify the authentication process. Basically, SSO eliminates the need to create and remember multiple complex passwords. Here are some tips to effectively implement it.
- Set Secure Device Passcodes – While enterprises can’t control if a password is compromised within a device, they can control how far it will take intruders. Using device passcodes in addition to a one-time password system can reduce such security threats.
- Implement One-Time Password (OTP) – OTP prevents attacks and other hack techniques by providing users with a unique and temporary password every time a user logs in.
- Disable Access to the Network without SSL VPN – For users to access the network, they need to go through your corporate VPN network. This will enhance the security of your system and limit access to specific approved apps.
The Bottom Line
Your employees will continuously compromise the security of your enterprise mobile solutions without the right safety measures and proper safety training. So, take the time and invest in creating better enterprise mobile applications, a robust BYOD policy, and tools which complement them.