Workers Mix Business with Pleasure & the Security Impact is Colossal

Written by

We live in a frenetic and fluid world. Need a new outfit? Buy one online and have it in an hour. Don’t like your car? Trade it in. Fancy a change of scenery? Move. Don’t like your job? Get a new one.

In fact, it is now common for younger workers to have had four jobs before the age of 32 and a notable minority now have more than one employer at any time. What would have once been an indication of job-hopping is now an accepted function of the type of economy in which we live and Millennials value the flexibility it offers.

Conversely, despite moving from job to job, employees are increasingly keeping the same device – or at least number and personal contract – as they do so. Thanks to the bring your own device (BYOD) trend, this means one single device is doing a thousand things: connecting to multiple work networks in addition to shopping online, booking taxis, dating, watching TV, banking, downloading apps with security flaws and – potentially – visiting malware infested sites.

This is causing a huge headache for security professionals. This is because it is common for smartphone security to be an afterthought – and where it exists, it is woefully behind the curve. Typically, just 24% of people are likely to have internet security and only 5% bother to encrypt the data on their mobile.

Why? Because they have a built-in expectation of security. They feel that someone else should secure their mobile device for them. They expect their employers or clients to understand that using free, unsecured Wi-Fi is essential; that man-in-the-middle threats are part of life; and that none of this is the handset users’ responsibility. To make things even harder, they also demand protection without it affecting user experience a single iota.

What’s the solution? In the past there has been a tendency to look at all the potential risks on a mobile device and shut them down one by one. If there is a threat from downloading apps, try and stop people from doing it. If there is a threat from opening and sharing files, put a block on it.

The challenge with this type of approach is threefold. Firstly, this hugely impedes productivity. Without access to a crucial document that has been blocked, an employee may not be able to do their job – or win business. Equally, if you bar apps, that same employee may not be able to book the taxi they desperately need to get to the next meeting in time, or they may not be able to use a map to find the client’s office. However you look at it, the bottom line can be affected badly. 

Secondly, putting blocks on activity does not actually stop people from doing it. They just find work-arounds. In a world of BYOD they will use shadow IT to try and achieve what they want to do anyway. Thirdly, if you do manage to put security software on a device, it can affect usability significantly, leaving that device slow, sluggish and ultimately, more likely to be bypassed by a user who brings a new device into the scene that’s faster (because it has no security on it).

As a result, security teams need to take a new approach. They still need all the mobile security you would expect such as anti-virus, web protection, app download managers and water-tight policies, while balancing the impact this has on user experience. More importantly, they also need to understand that they will not always catch threats – things will get through the net thanks to the way mobile devices are being used and new dynamics in employment models.

It takes determination and vision but security teams need to focus less on stopping everything and more on stopping those things actually doing something malicious. It’s a subtle difference between a “threat” and an “attack”. A threat is something that may potentially happen. An attack is something that is happening. Clearly, the latter is far more dangerous than the former – and not all threats turn into attacks. So why waste valuable resources trying to stop every threat?

To achieve this, organizations need to look at network traffic and the suspicious patterns that highlight an attack is underway and not just look for files that fit the profile of malware. This is also more likely to catch malicious activity that does not involve malware. For example, imagine an employee has been given access to data. They have been using it for months completely legitimately.

However, they’re about to change jobs again. That employee uses a mobile device to log on to and download a large amount of data about prospects to take to the next employer. This creates recognizable traffic and signifies an attack is taking place. No malware is involved at all, but the intent of the user is malicious. By analyzing the network traffic, the malicious insider can be stopped in their tracks.

Of course, that same device could also be completely riddled with malware owing to the way it has been used. It might be nearly impossible to stop this getting on the network. If it does – and more importantly starts to do something malicious – it will create suspicious network traffic. Again, this can be spotted and the activity stopped. In both cases, the result is the same: the mobile threat is reduced thanks to network data analysis rather than just traditional mobile security.

Let’s face it, we’re not going to stop Millennials changing working patterns; we’re not going to stop the motivations and tools of an attacker; and we’re not going to roll back the use of our beloved mobile devices – nor should we want to. With that in mind, network analysis is the only solution. The benefits are seamless mobility for all users, wherever they are, and uninterrupted user experience with access control, greater productivity and lower risk.

What’s hot on Infosecurity Magazine?