Culture of carelessness poses security threat to UK businesses

Over a quarter of smartphone users (27 per cent) have had up to three work devices lost or stolen, with over half (52 per cent) out drinking when it happened, according to a survey by Trend Micro Incorporated (TYO: 4704; TSE: 4704), a global leader in cloud security and the fight against cybercrime.

The results highlight not only a growing trend in data theft among cybercriminals targeting mobiles, but also display a culture of carelessness throughout the UK population in their attitude to work devices. The research conducted by Trend Micro with support from the Centre for Creative and Social Technology (CAST) at Goldsmiths, University of London, and Vision Critical, also revealed that:
•?Over half of Britons were out drinking when their devices were lost or stolen;
•?Over a quarter (26 per cent) have lost their device on the London Underground closely followed by 22 per cent in a bar;
•?31 per cent are using Wi-Fi hotspots regularly, yet 56 per cent never or rarely check security levels before using them;
•?25 per cent of people who only use their device for work have emailed sensitive data to the wrong person;
•?63 per cent are using the same passwords or similar variations for all their electric logins, making them an easy target for cybercriminals;
•?57 per cent of smartphone users do not use a password lock as the most common form of security protection

Culture of carelessness
Responses show a careless attitude by Britons to work devices and corporate data. Respondents seem to take better care of their own belongings with only 11 per cent of those surveyed losing their personal smartphone device while over a quarter (27 per cent) have had up to three work devices lost or stolen.

Almost half (44 per cent) of smartphone users are more concerned about losing personal content, such as photos and banking details than worrying about enabling cybercriminals to access sensitive business data. In fact a mere 3 per cent of respondents were concerned about the theft of corporate data. More specifically, almost half (47 per cent) of respondents don’t worry much or at all about losing client or customer details, while 55 per cent don’t worry much or at all about losing intellectual property. This indicates a lack of awareness around the financial and reputation cost to businesses when sensitive data is leaked

IT departments should be concerned
Worryingly, over half (56 per cent) of respondents were not sure what to do to protect the data on their devices if they’re lost or stolen. Only 10 per cent said the first thing they would do is notify the IT department. A total of 13 per cent said they would let their boss know, while just 5 per cent would let the HR department know. Most (19 per cent) said they would report the loss to the police first.

This highlights the lack of awareness around the need to notify the business about data loss, preventing organisations from taking steps to limit and avoid reputational and financial impact.

To make matters worse, the research reveals that many of us don’t take enough care about password-protecting our data and devices. 63 per cent admitted to having no password at all on their devices – and, worryingly, 61 per cent of those who use a smartphone for work only said they don’t have security passwords on their devices.

Threat to businesses
Vinod Bange, partner at international law firm Taylor Wessing said: “There are a number of UK and European laws that govern corporate liability for data breaches and fines for leaked customer data can be as high as £500,000. Additionally, new EU regulations are set to increase corporate obligations to notify authorities about data breaches as well as raising fines to 1 million Euros or two per cent of annual turnover. The results from this survey demonstrate that education is required to help employees understand the importance of protecting corporate data on mobile devices and notifying their employer should a breach occur. Organisations that are unaware of data breaches will fail to take the right steps to manage the situation which will diminish their ability to protect customers and avoid monetary penalties or contractual claims from third parties.”

Matthew Webb, Head of Technology at insurer Hiscox UK, commented: “Cybercriminals are increasingly targeting mobile devices in the hope of stealing the owner’s bank details, but walking away with a wealth of confidential business information can prove even more valuable on the black market. There are several things that employers can do to help safeguard against this risk though, such as encouraging employees to use a login on their mobile device that is at least the same security strength as their work computer, and to change it regularly.

“It is also much simpler for an organisation if employees all work off the same types of devices, so that only security and operating system updates for that one particular manufacturer must be applied. These must be kept up-to-date as well.”

Tips for businesses
Rik Ferguson, Global VP Security Research at Trend Micro said: “The survey shows a worrying attitude of carelessness towards work devices and an ignorance of the full impact of losing data without the correct security measures being put in place.

“It is the duty of a business to ensure they’re educating their employees on the secure use of mobile devices to prevent sensitive data falling into the wrong hands. Employees should take the same amount of care with their work device as they do with their personal ones, and be made fully aware of the procedures and risks before a device is given to them. In the event of theft it is critical to contact the company IT department who may be able to prevent the thief from accessing critical business information.”