The effect of a virus attack can be catastrophic on any small business. Allowing a hacker to gain access to privileged information or gain control of company systems can lead to reputation damage, blackmail, crippling fines – and worse.
While there is evidence that businesses are wising up to the threat of direct online hacks, there is a worrying trend emerging in regard to the threat posed offline – the ‘Bring Your Own Device’ (BYOD) hacks.
Simply put, these are attacks in which a staff member, often unwittingly, introduces a malicious device to a company’s computer system – generally in the form of a compromised personal phone, tablet or USB stick. The errant device contains a virus which quickly embeds itself deep within the company’s systems, allowing malicious attackers to gain access to systems and information from afar.
BYOD Attack Risks
Closely linked to this is the situation where an employee uses a personal device to access and store corporate information – e.g. viewing a confidential report on a personal tablet. Any virus that is able to compromise the personal device will therefore gain access to confidential information, no matter how well that same information may be protected on the company’s main systems.
The danger is both real and substantial.
According to new data from Kaspersky Labs, an eye-catching 92% of employees admitted to keeping corporate data on devices they used for both personal and business activities. Yet 60% of those employees admitted they did not actively protect the devices, instead relying on their employers to catch any threat.
The report also found that almost two-thirds of workers – 62% regularly used personal devices in the direct course of their work. These phones, tablets and laptops often connect directly to their business’ computer systems – allowing a virus that has compromised the personal device to crossover to the network.
Yet while larger businesses were more alert to BYOD security risks, particularly of reputation damage, should an employee lose a personal device containing corporate data – with 53% expressing concern many small business owners still appear unaware, or naively believe their company is unlikely to be targeted.
Almost a third (32%) of small business owners saw no danger whatsoever in employees using personal devices for work. In addition, more than 80% expressed no interest in receiving information about customized solutions for protecting the data on those devices. It appears many small business owners believe the risk posed by the BYOD threat is sufficiently small not to affect them, or is otherwise adequately covered by the various free tools available on the market.
According to Kaspersky Labs, this is a worrying mindset – from both small business owners and employees alike. “It is increasingly rare to come across a business professional who doesn’t use their own mobile device for work,” said Konstantin Voronkov, head of Endpoint Product Management at Kaspersky Lab.
“A laptop or smartphone enables you to do a large part of your business tasks remotely, from any global location. However, the loss of important corporate data via personal devices is a common occurrence, and a negligent attitude towards the security of mobile devices could pose a serious risk to a company’s business,” he added.
Is Your Small Business at Risk?
Clearly, small businesses are more at risk of BYOD attacks than ever before. Cybercriminals are adept at exploiting security vulnerabilities – and while small business owners may believe that only larger firms are targeted, the evidence reveals otherwise.
According to security firm Semantec, nearly a third of all reported corporate hacks in 2012—31% were on companies with fewer than 250 employees. That percentage is rising every year. Strikingly, the lax attitude towards the BYOD threat contrasts dramatically with the attitude of small business owners towards computer security in general.
Almost all businesses, regardless of size, are aware of the need for firewalls, anti-virus on corporate machines, the importance of using strong passwords, and so on. But a computer security system is only as strong as its weakest link.
Investing in a secure corporate network only to overlook or underestimate the BYOD threat is the technological equivalent of investing in a state of the art security system for your business premises, only to leave an override key in front of the building in an easily identified false brick.
Far from being too small to be targeted, small businesses are frequently being seen as easier targets by criminals – due mainly to their lax attitudes towards security. Considering the disastrous financial and reputational damage that could result from any attack on a small business, perhaps the time has come to give BYOD security the consideration it demands.
This article has been edited and condensed.
Rick Delgado is a technology commentator and freelance writer. His work can be found on Wired, SmartDataCollective and MakeUseOf. Connect with @ricknotdelgado on Twitter.