A small device, but a big threat

Employees are often encouraged to use mobile devices for work purposes, but this increases a company’s risk of a cyber security attack. Companies should consider the security needed to safeguard sensitive information. SHEQ Management takes a closer look.

More companies are encouraging employees to use mobile devices, such as smartphones and tablets, for work. This trend of “bring your own device” (BYOD) allows employees to access company information remotely, which can increase productivity and offer a flexible workplace for the employee.

Similar to desktop computers, mobile devices are at risk of cyber security attacks. However, BYODs present many other challenges.

Dean Workman, in his article for IT News Africa, reports that 82 percent of South African businesses were victims of security breaches in August 2017.

In addition, 76 percent of South African participants in the 2017 Global Enterprise Security Survey, conducted by Fortinet, have increased their IT budget to provide for better cyber security, including security staff, auditing and training.

Workman quotes Paul Williams, southern African country manager at Fortinet: “South Africa has really caught up to the rest of the world in terms of a security focus within their IT departments.”

Simeon Tassev, MD at Galix Networking, identified a few of the main cyber security threats for South African companies in an article for IT News Africa.

These included cloud security, data protection, internet connectivity and BYOD attacks. He writes: “In the wake of recent ransomware attacks and the increased uptake of mobility and BYOD within organisations, businesses will seek to implement mobile security to prevent infiltration via external networks outside of their control.”

Basie von Solms, director at the Centre for Cyber Security at the University of Johannesburg, notes that mobile devices are at greater risk of cyber security attacks, as users can download apps, which can be infected with malware.

“Cellphones can be (and often are) infected, which allows the criminal to gain access to company information. Therefore, companies should have very strict rules, regulations and policies in place regarding the access point to, and information stored on, the device. There is also the risk of the device being stolen,” Von Solms says.

He adds that companies can implement management systems to wipe a device remotely, but that this does not always work. The best approach is to ensure that the latest anti-virus protection is used, and that information is separated and encrypted on the device.

Von Solms explains: “Companies should ensure that the employee has the latest anti-virus protection on their phone. An employee can visit a personal website, which is infected, and infect their mobile device. Companies should have comprehensive protection apps and software. Employees should always use the most up-to-date software.

“There is now research on separating the information on smart phones into different ‘containers’. The corporate container with company information will be much more secure and possibly encrypted. Information is downloaded into a separate container, thereby protecting company information.”

However, policing the security and updating the software (including anti-virus software) on a personal BYOD is difficult. An employee will need to give their consent to the company to monitor and update software. The company will also be responsible for protecting the employee’s personal information on the device.

“When an employee owns the device, a company should try to protect their privacy, but that is not always possible. How to best protect the privacy of an employee and protect company information is a grey area. Companies prefer to provide a device and keep the software updated,” Von Solms notes.

Company-owned mobile devices are often open for personal use. However, the user has fewer privacy expectations and it is therefore easier for the company to enforce cyber security protection.

Currently, there are no laws or policies in place to protect the personal information on a private BYOD. However, there is the Protection of Personal Information (PoPI) Act, which is expected to be passed this year. The Act aims to ensure that the personal information of customers and employees is not compromised or shared with a third party without their consent.

“The Act will improve the protection of the private information of customers. However, this presents another challenge. If an employee downloads private information of the client onto their mobile device and that information is compromised, the company is liable,” Von Solms says. He adds that the PoPI Act could possibly result in the end of BYOD.

The Act is based on the European Union (EU)
General Data Protection Regulation (GDPR). Companies that employ European nationals should also be aware
of the GDPR, as they can be held liable under this regulation.

“GDPR will come intocyber security attack play this year. EU companies will have one year in which to comply. The GDPR will also affect companies in South Africa. If a company employs a person from the EU, it will be liable under the EU Act, and will need to ensure that it protects this person’s personal information,” Von Solms notes.

He concludes: “It is getting more and more scary and we will see very real consequences with the introduction of the PoPI Act.”

Companies are well advised to start preparing for the PoPI Act now by introducing safety measures to protect company, employee and client information. Organisations that rely heavily on BYODs should also re-evaluate their cyber-security processes to ensure the safety of sensitive information.