Is the corner office the biggest threat to small and medium-size businesses? As companies shift their business models to mobile technology and remote work, senior executives are surprisingly some of the employees guiltiest of risking their organizations' security.
In fact, according to the 2020 Verizon Mobile Security Index, while 81 percent of executives at small and medium-size businesses surveyed say cyber threats were a moderate to significant risk to their businesses, 39 percent admitted they have sacrificed mobile security to "get the job done."
Protections and limits to system access imposed on employees are less frequently imposed on top executives, who are often given wide latitude to use personal devices and to access vast parts of a company's data systems, notes Bryan Sartin, executive director of global security services at Verizon.
Professional services firms have taken a particularly big cybersecurity hit, as they move to an increasingly work-from-home, mobile-business model, often working out of clients' offices and shared workspaces, on public or unsecured wireless networks. The 2020 Verizon Mobile Security Index showed that 66 percent of respondents say they used public Wi-Fi for work tasks, even though one-fourth conceded it was explicitly prohibited by company policy.
Another big piece of that problem is employees bringing their own smartphones and laptops to the job.
"The largest vulnerability for small and medium businesses is that employees generally do not have enterprise-owned devices," says T.J. Fox, a senior vice president at Verizon and the president of Verizon Business Markets. "Without that control, organizations--roughly half of which do not have internal IT resources--are faced with the challenge of protecting assets on devices they don't control."
Some of the biggest threats to small and medium-size businesses are ransomware and spear phishing attacks. With ransomware, hackers hold a firm's data hostage until money is paid. Spear phishing attacks use emails that already contain some nuggets of personal information lifted from say, a social media post, and are targeted to get an individual to reveal sensitive information including passwords and access codes.
Those stolen username and password combinations are often the foothold needed to access a company network remotely. "You have a simple email or text click on a handset leading to both personal and company-related theft," says Sartin.
"The emergence of ransomware has changed the conversation, and so has the massive shift toward the work from home model," adds Fox. "Ransomware is so widespread, there is now an immediate need for SMBs to adapt their security defenses to better protect their assets."
According to the 2020 Verizon Mobile Security Index, only 50 percent of small and medium-size businesses restricted access to data on a "need-to-know" basis, and 59 percent said they did not take the most basic mobile security precaution: changing manufacturer or vendor-installed passwords on devices.
In fact, most security risk that leaves corporate data systems vulnerable to attack is a result of what experts call poor "cyber hygiene" across four key areas:
- The failure to keep up with and roll-out the latest security patches company systems, particularly to senior executive;
- A lack of controls and training to reduce email phishing;
- Allowing unsecured personal mobile devices to access corporate applications and data;
- The failure to segment sensitive data from non-sensitive data and create appropriate access controls.
Fortunately, nearly all breaches in mobile communication can be mitigated with four basic controls: encryption, authentication, containerization, and restricted download controls.
While technological advances including adaptive authentication and zero-trust networks promise to better restrict access to company networks and assets, the most effective cyber defense plans incorporate people, process, and technology.
"Our solutions such as mobile threat defense and secure endpoint protection are affordable and easy to employ and will quickly and effectively help address primary threats," says Fox. "That reduces the likelihood that a compromised device will introduce threats into company systems."
Ultimately, protecting networks and data from intrusions depends on people, and C-Suite executives need to set an example for the entire team, says Fox. "Top executives need to create a cyber-aware culture and make it a priority."