Employee carelessness poses security risk to businesses

21 Nov, 2013

Trend Micro report highlights perils of mobile device loss and Wi-Fi hijacking

Sensitive business data is being put at risk by the thoughtless behaviour of employees, a new report by Trend Micro has found.

The survey of 2,500 UK adults, published in a report entitled Britain’s culture of carelessness with mobile devices, found over a quarter of smartphone users have had up to three work devices lost or stolen, and 63 per cent have no password protection on their phone at all.

The Tube is the most likely place for a phone to be lost or stolen in London (26 per cent), with the District and Circle lines proving to be particular blackspots.

A bar is the second most likely place for a smartphone to disappear (22 per cent), followed by a cafe (11 per cent) and a restaurant (8 per cent), according to the report.

At a roundtable to discuss the report's findings, representatives from Trend Micro, information security consultancy First Base, and law firm Taylor Wessing said the implications were clear for business.

James Walker, a security specialist at Trend Micro, said: “We talk about a watering hole from the point of view of compromising a website, [but if I were a criminal] I could know a bar where a certain target organisation would drink in after work, I could steal a mobile phone that’s not password protected, send out a lot of phishing emails to lots of contacts within the organisation... and compromise a lot of people.”

Vinod Bange, a partner at Taylor Wessing, added: “If you have an employee within an organisation who kept going to the accounts team and saying ‘can I have £300 from petty cash please?’ and came back the following day saying ‘I lost it, can I have another £300?’ and then the next day said ‘sorry, I did it again, can I have another [£300]?’  – Who would do that?

“That is because cash is treated in a very particular way and it is about time organisations drew that link to treat information assets, whether it’s personal data, confidential IP, or whatever it happens to be with the same degree of [restrictions].”

The report also examined the potential for data loss when using public Wi-Fi hotspots.

A team of ethical hackers from First Base used apps that were openly available on Google Play to clone a recognised Wi-Fi network, which volunteers’ devices would then connect to automatically.

A hacker using this type of attack, known as an ‘evil twin’, is then able to see all the data sent, including sensitive corporate data and things that would normally be encrypted, like passwords. They could also restore sessions, to further mine data collected during the attack.

The volunteer ‘victims’ involved in these experiments said they felt scared that such an attacking method exists and that their privacy had been violated, even though it was just a simulation.