What happens when an employee downloads a virus onto one of their personal devices that you have allowed access your company systems? Grant McGregor takes a look at an emerging weak spot in many companies’ defences.

The Information Commissioner’s Office (ICO) is seeking to raise awareness about a new vulnerability in many organisations’ cyber defences.

In particular, ICO is highlighting how failure to protect against such a breach can leave organisations falling foul of GDPR obligations and running into large fines. As we’ve reported before, GDPR fines can be as much as 4 percent of global turnover.

Increasing numbers of private devices used at work

In the early days of mobile phone ownership, mobile phones were procured in bulk by the company telecoms officer and distributed to employees. This made security provisions and central control simple.

As mobile technology and cloud services have seeped into almost every aspect of our lives, people increasingly want to use their own devices for work. This leaves organisations vulnerable: IT Managers need to enable employees to access the company systems on their own devices, but they also need to know the network and all the devices accessing it are secure.

This “bring your own device” (BYOD) - both to the office or when working remotely - trend is raising concerns at ICO.

A compromising situation

One of the examples ICO is using to highlight the risk is of an employee who uses a personal computer at home to access a work email service. Unfortunately, the PC was not secured and had been infected with key-logging malware.

The malware author was able to capture the log-in details for the email service and access the employee’s work email account.

ICO is concerned that, in such a situation, the malware author would have access to personal data – potentially of both employees and of customers. This leaves the organisation exposed to GDPR fines because the employee didn’t have anti-virus and anti-malware software on their home PC.

Under GDPR, an organisation is required to have appropriate security measures in place to protect against a data breach.

For the organisation, there are further risks. The malware author has access to an official email account and could use it for phishing and spear phishing attacks.

What can organisations do to protect themselves?

Ultimately, protecting your organisation from this type of threat has to come down to education. It simply isn’t feasible for IT Managers to install anti-virus and anti-malware software on all their employees’ home PCs – this is something that individuals must recognise they have a responsibility to do for themselves.

ICO recommends the UK Government’s Cyber Essentials scheme as an ideal way to develop knowledge and basic IT security awareness within an organisation. It says Cyber Essentials offers, “a set of basic technical controls you can put in place relatively easily.”

This is a scheme that Grant McGregor wholly endorses and we can help you with training and assessment – for more information, check out our Cyber Essentials guide here.

There’s even better news for Scottish businesses: the Scottish Government has launched a voucher scheme to help small businesses and third sector organisations combat cybercrime by securing Cyber Essentials certification.

Find out more about how you can apply for funding for the Cyber Essentials certification here.

Reminder: better mobile security

In an earlier post, we outlined some specific steps organisations can take to improve mobile security, including:

• avoiding publicly accessible Wi-Fi

• offering VPN connections for mobile users

• ensuring Bluetooth is turned off on phones

• if cost is less important than security, you could go as far as turning Wi-Fi settings off and forcing users to use your mobile carriers’ networks (which are less susceptible to spoofing or “man in the middle” attacks).

But the scope of the Cyber Essentials scheme goes further than just mobile security to cover key fundamentals of organisational cyber security.

Plan for the worst, make the best possible

Basic hygiene measures covered in the Cyber Essentials scheme include:

• Educate employees about potential threats and vulnerabilities

• Maintain good password practices

• Maintain up-to-date security patches

• Install the most up-to-date versions of software and operating systems

• Use anti-malware and anti-virus solutions – and keep these up to date too!

In particular, at the moment IT Managers should have upgrade plans in place for a number of Microsoft products nearing end of life, this includes:

• Windows 7 operating system

• Windows Server 2008 r2

• Internet Explorer version 10

In addition to these simple steps, Grant McGregor also recommends that all organisations conduct regular threat assessments to identify vulnerabilities and have a good plan in place for dealing with the effects of a cyber-attack.

Unfortunately, in today’s environment, falling victim to a cyber-attack isn’t a question of whether but when. And acting swiftly can make all the difference in limiting the effects of an attack, safeguarding your organisational reputation, and minimising the penalties you face under GDPR.

To find out more about any of the issues discussed in this article, including securing funding for the Cyber Essentials training, please reach out to the Grant McGregor team.

Photo by Jonathan Francisca on Unsplash