Report highlights poor UK attitudes to mobile security

Businesses should note that many UK mobile users do not take security precautions and do not know how to guard against data theft, says a report by security firm Trend Micro.

A survey of 2,500 UK mobile users found that 27% have lost up to three company devices and 52% regularly carry a mobile device containing sensitive work data, putting their employers and customers at risk of fraud.

The survey revealed that 61% who use their devices for work do not use password protection, 20% use their personal smartphones for business, and 63% use the same or similar passwords for all accounts.

Nearly a third said they regularly use Wi-Fi hotspots, but 56% do not check security before connecting to them, with 22% accessing work emails and 10% accessing confidential documents in public places.

The survey highlights a culture of carelessness among the UK population in their attitude to corporate data and mobile devices used for work purposes, the report said.  

The survey revealed that 44% of respondents were more concerned about losing personal content such as photos and banking details than about enabling cyber criminals to access sensitive business data.

Only 3% of respondents were concerned about the theft of corporate data, while 47% do not worry about losing customer details and 55% do not worry about losing intellectual property.

This indicates a lack of awareness around financial and reputational cost to business when sensitive data is leaked, the report said.

Of further concern to businesses should be the fact that 56% were not sure what to do to protect the data on their devices if they are lost or stolen.

Only 10% said they would notify their company IT department first if their device were lost or stolen, only 13% said they would notify their manager, and only 3% would notify human resources (HR).

This highlights the lack of awareness around the need to notify the business about data loss to enable it to limit or avoid reputational and financial impact, the report said.

Vinod Bange, partner at law firm Taylor Wessing, believes proposed EU data protection regulations will help drive change by potentially introducing fines.

In October, MEPs proposed increasing fines of up to €1m or 2% of annual worldwide turnover to €100m or up to 5% of annual worldwide turnover, whichever is greater.

“Currently UK data protection authorities can impose penalties of only up to £500,000, but much bigger EU fines will encourage organisations to embed security in their systems and processes,” he said.

However, Bange said the survey demonstrates the need for education to help employees understand the importance of protecting corporate data on mobile devices and notifying employers of potential breaches.

“Businesses that are unaware of data breaches will fail to act, which will diminish their ability to protect customers and avoid monetary penalties or contractual claims from third parties,” he said.

Rik Ferguson, global vice-president of security research at Trend Micro, said it is the duty of a business to ensure it is educating employees on the secure use of mobile devices.

“Employees should be made fully aware of the procedures and risks, and in the event of loss or theft, it is critical to notify the company’s IT department,” he said.

If a device that is used for work purposes is stolen, Ferguson said the first people who need to know are those in the company IT department. “They can lock and wipe a device – and they need to act quickly,” he said.

To prevent data being stolen through public Wi-Fi, Ferguson said it is essential to ensure connections to websites are encrypted. “Look for 'https://' at the beginning of a URL and a padlock symbol next to the URL for added reassurance,” he said.

Anyone connecting to webmail should also ensure the connection is encrypted because cyber criminals are looking for usernames and passwords transmitted in clear text, said Ferguson.

“Most ISPs do not offer an encrypted connection unless they are asked, so users need to be vigilant when on a shared network,” he said.

Ferguson also warned against enabling shares on computers when joining a public network, he said IT departments should allow only secure devices to connect to corporate networks and provide virtual private networks (VPNs) to create a secure connection for all corporate traffic.