Since the dawn of the internet, cybersecurity and cyberattacks have been locked in a continuous cycle of mutual evolution. As one progresses, the other becomes more sophisticated in response - similar to a game of leap-frog or dueling pianos, but with much higher stakes.
No longer confined within the safeguards of the office walls, the cyber playing field has now expanded to include the mobile phones and other connected devices of every employee – each device providing a new entry point into the network. It's important to address all potential points of exposure, including those owned by individual employees, to protect your system against the growing threat of data breach, information theft, ransomware demands, and DDoS attacks.
A practice colloquially known as BYOD (an acronym for “Bring Your Own Device”), 60% of Americans are now using their personal smartphones to perform official job duties. And with good reason. The freedom to communicate regardless of time or location, along with quick and easy access to workplace networks and apps, has been shown to save considerable time and boost productivity.
However, without central control over all connected devices, BYOD also introduces new data security issues. The risks of loss, theft, and outdated firewalls and antivirus software are amplified when people use their mobile phones away from the office, particularly when connecting to unsecured external networks. The burden therefore falls upon the employees, who must adhere to best practices - VPN, OS updates, message encryption, MDM and MAM software, etc. - at all times, on their phones and any device that connects to their phones.
Note: When managing your company's BYOD policy, keep in mind that different states may require you to reimburse employees for using their personal devices for work purposes.
As if straight out of a sci-fi movie, the Internet of Things (IoT) brings the convenience and efficiency of near-boundless connectivity into everyday life. From voice-activated lights and smart thermostats to wearables and telematics, an estimated 7 billion IoT devices (and 17 billion total connected devices) are currently in use worldwide.
This tidal wave of hyperconnectivity presents a virtual cornucopia of new attack vectors for the criminally inclined. Legislation has struggled to keep pace with the rapidly growing IoT, and so far, only a few laws have been enacted to help curb misuse and abuse. Until security standards are established, each individual and business is responsible for ensuring the safe management and usage of all connected devices.
Be sure you have an updated inventory and account for all your organization's connected devices when creating your internal IT security plan. Also, educate employees on the importance of securing their personal connected devices, and provide a list of steps they can take at home, such as creating strong passwords, changing the default privacy settings on individual devices, and encrypting their wireless routers.
While traditional information security plans focus on hardware and software protections, one of the most pervasive data security threats is often overlooked and unchecked: the human factor. The majority of data breaches start with at least one deceptive act – a process known as social engineering – in which the wrongdoer misleads an employee into unwittingly revealing information or otherwise facilitating easier network access.
In a common scam known as "phishing," the fraudster disguises an email as a benign message to trick the recipient into taking an action – such as downloading an infected attachment, following a corrupt link, or disclosing insider information – with perilous results. Other examples include phone calls, in-office visits, and social media communications in which the offender impersonates a known or respected individual, such as a colleague, vendor, or outside authority, to gain an employee’s trust and get the desired information or access.
Social engineering can be low or high tech, and is limited only by the creativity of the perpetrator. Every person with access to the network, data, or other proprietary information must be trained to identify the signs of – and ultimately block – social engineering attempts. Because even the most ironclad hardware and software defenses are no match for the savvy manipulations of a motivated hacker (if successful).
When it comes to securing mobile and connected devices, as well as preventing an internal breach, your best defense is awareness, education, and hyper-vigilance. To stay up-to-date on the latest developments in network and data security, IT staff should have sufficient opportunities to attend trade-shows, take classes, participate in workshops, and otherwise update their knowledge and security toolkits to stand up against modern threats.
Staff trainings should also be held regularly, delivered in non-technical language to ensure maximal understanding. All employees must learn how to protect their mobile phones and other connected devices, and also how to recognize and prevent social engineering. When everyone within the organization is aware of the risks and working on solutions together, you will be in the best position to secure both internal and external vulnerabilities.
Security is a top priority at One Inc. We maintain the highest level of payment data security standards, reducing exposure and simplifying the compliance process for our customers. You can learn more about our compliance and certifications here.
You might also be interested in:
Insurance Industry: 12 Trends for 2020
Patricia is passionate about helping insurers continue to achieve success in a rapidly changing industry. She offers news, insights, and tips to help you modernize your organization, boost efficiency, and provide a superior customer experience for today’s policyholders.