Sapsiwai - Fotolia

Employees’ use of personal devices puts firms at risk of malware infection, says report

Downloaders care about their own security while grabbing pirated content, not that of their employers

Six in ten UK employees are putting their businesses at risk of malware infection by using their personal devices to access corporate networks and illegal pirated content, a study has revealed.

Although 80% of those accessing the content consider the personal security risks of doing so, only 60% consider the security implications for their employers, according to a study commissioned by threat management firm RiskIQ.

“Pirate sites are an easy way of distributing malware so it should be a major concern for corporate security teams that so many individuals don’t consider the security implications,” said Ben Harknett, vice-president for Europe at RiskIQ.

Our study of piracy sites for the Digital Citizens Alliance “revealed that individuals who stream or download pirated content online are 28 times more likely to get malware than those who use legitimate services to obtain content”, he said. 

“For corporate security this is a 28-times higher risk of malware making its way into the corporate network from employees’ own devices,” Harknett added. 

The study also revealed 33% of piracy sites had at least one malware incident within the four-week period studied, while 20 of the sites exposed 75% of visitors to malware.

Of the malware found, 45% was drive-by downloads, where the visitor to the site does not need to click on anything after arriving, infecting users silently and often going completely undetected. The remaining 55% of malware lured users with prompts to download Adobe Flash or anti-virus updates.

The top reasons given for downloading or streaming pirate content are because it is free (23%), it is available before paid content (13%), the belief that all content should be free (12%) and the content people are trying to access is not available in any other way in the region (10%).

Graeme Grant, head of internet anti-piracy operations at worldwide recording industry association IFPI, said research has shown that cyber criminals have used content, such as music, as a way to compel users to download malicious applications.

“Once installed, many users unwittingly grant the malicious application excessive permission, thereby allowing an attacker to gain access to information on the device which could compromise the security of both the user and the corporation.

“Our own findings have been corroborated by the study that RiskIQ has carried out, showing that there is a definitive need for businesses to prevent user access to pirated content and those applications that facilitate such access,” he said.

Harknett concluded that organisations need to educate employees on the cyber risks of using pirate content sites and the potential consequences to the organisation.

Read more on Security policy and user awareness

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

20% seems to be a statistically significant difference, so I wonder if it’s a case of the user just not thinking about corporate data because it’s their device, or they don’t really care, or some other reason behind that large difference.
It would seem that firms aren't investing enough time educating their employees. Not admonish, not threaten (neither of which work very well), but educating employees about the dangers of downloading/using pirated software. It will take more effort than a "just say no" policy. Beyond open the gates to company-wide malware, employees are putting themselves and their personal data at an even greater risk. Teach them about that....
I use an Apple Macintosh at home as my personal system, and it probably has better security than most of the corporate networks that I've dealt with. By the way, I never download software or content from pirate sites.

The main problem is that the article states that 6 out of 10 users use their personal devices to access company systems and pirate sites. Okay, what percent use them to access company resources, what percent use them to access pirate sites, and what percent do both? Does 6 out of 10 refer to the number that access both types of sites? When using personal devices to access corporate systems, what percentage are doing so by following corporate guidelines. They don't use the word both in the statement, and I have learned to read many of these articles with as much skepticism as I read advertisements.

The people funding and publicizing the report have a interest that is not related to the corporate systems they claim are at risk. Their goal is to stop people from illegally downloading content. That is an honorable goal, but the article's goal is to further that goal and not the security of the computer systems.

What I find most interesting was that almost half of the malware attacks were "drive by" attacks. The fact that "drive by" attacks can occur indicates operating system and browser security flaws that should not exist.