Cyber risk: Are businesses aware of internal threats?

2016 is already shaping up to be the year when cyber risks are a seemingly constant media headline - hacking, data thefts, leaks of confidential data (see the Panama Papers).

'Bring your own device' is a threat to cyber security, writes Andrew Day
'Bring your own device' is a threat to cyber security, writes Andrew Day
There are threats "out there" and they are real, but perhaps too much emphasis is placed on the randomness of the attacks or how newsworthy the target is or the skill of the faceless attackers.  

For most businesses in this country and the c-suite executives that manage them, the biggest threat is from the all too mundane human fallibility.  

No one is exempt from being a risk magnet, from the most experienced CEO to the new starter – internal risk often far outweighs external risk and is more preventable.

Right at the heart of this internal risk is the practice of ‘bring your own device’ (BYOD). Increasingly flexible workforces want to use personal devices – typically laptops, tablets and smartphones – to enable them to work as and when they want and where they want.  

There are some obvious advantages to this approach in terms of cost savings and employee satisfaction, but it’s not all good news.  

Humans, being what they are, don’t typically think in neat boxes when it comes to their online presence.  
How many of us have used the same device for both work and personal social media interaction, often simultaneously?  

Employees using personal devices, whether at work or outside of the workplace, are at risk of downloading dodgy attachments, opening infected websites or clicking on a pop-up with a virus. 

When those devices are connected to work laptops or PCs on Monday morning, the company’s network is then at risk to whatever might have been 'acquired' over the weekend.  

Not good if that means confidential company data is hacked and published as a consequence or the website is shut down for hours while frustrated customers can’t purchase the company’s products.

Employees will likely have their own social media apps on their devices along with their own personal email settings both containing personal data. 

Most smartphones make it very easy for an individual to switch between a personal email and a business email account fairly quickly, increasing the chances of sending confidential business information to people in their personal address book and vice versa. 

The embarrassment of emailing a client late at night could be the least of your worries.
What happens if the device is lost or stolen? 

The device will not only have stored all the employees’ precious personal data but also, most likely, business secrets of various kinds. 

If it was strictly a corporate device the obvious solution would be to wipe it clean. This fix is not so simple with an employee’s device as this throws up the potential ethical dilemma of encroaching on the employee’s privacy rights – time consuming and awkward to resolve.  

Where there is a security breach or negative press on social media, this can have an immediate, direct and potentially devastating effect on the company and its stakeholders. 

It is not just the direct financial losses that affect the company but also, and sometimes more importantly, loss to its reputation. 

Recent studies show that analysts are using a company’s reputation as a metric to value it.

The increasingly prominent risk associated with BYOD is a serious threat to that value and once it’s gone it might be too late.

Andrew Day is a partner at Spring Law

Would you like to post a comment?

Please Sign in or register.