Cybersec Essentials

Mobile Device Security Awareness: Training Essentials

norman@preyhq.com
Norman G.
Mar 9, 2023
0 minute read
Mobile Device Security Awareness: Training Essentials

As our reliance on digital technology continues to grow, so does the threat from scammers, hackers, and cybercriminals. Yet we have become so used to the benefits of tech making our lives easier that we can get complacent and careless about the security risks.

The growth of mobile use in business has left many companies even more vulnerable to attacks, mainly due to the rise of the bring-your-own-device (BYOD) culture and an increase in remote working. This trend significantly increases the vulnerability of corporate data, as employees using personal mobile devices for work can expose sensitive information to unauthorized access and cyber threats. Safeguarding corporate data from such risks is essential to maintaining the integrity and security of your organization.

With the average data breach cost in 2020 coming in at $3.86 million, it’s vital to protect your organization. However, investing in security solutions is no longer enough – you must also provide comprehensive training to all employees. This means anyone using their mobile for work is educated about potential risks and better placed to spot any vulnerabilities.

While your security protocols have to be efficient, it also helps if they are easy to understand. If something is hard to follow and cuts into productivity, it is less likely to become a seamless part of everyday

Enterprise Mobile Device Security

In the modern workplace, mobile phones and other mobile devices are used more frequently than traditional endpoints like laptop computers. And the same information that their laptop or desktop has access to is also present on these devices. The lack of security on mobile devices results in a substantial boost in productivity but also a dramatically greater danger to an enterprise. Mobile devices frequently go unguarded, although you wouldn’t consider leaving a laptop or desktop unattended.

Employees can learn about enterprise mobile security and the dangers and weaknesses that it faces by taking a mobile security training course.

Here are five key things to remember when providing mobile device security training.

1. Mobile security should be part of the culture

The main aim of any training program is to change the company’s culture. In this case, every employee should learn to take the threats seriously and follow established security guidelines to protect against potential threats. Protection should feel like everyone’s responsibility, not just the IT department.

And this means that lower–level employees need to see that those in higher positions are setting an example by following the protocols.

96% of phishing still happens via email, but employees should also receive training to recognize threats from other sources. Phishing via SMS (known as “smishing”) and voicemail (“vishing”) are high priorities for current attackers, and it’s wise to raise awareness of the risks.

It is also crucial to keep the operating system up-to-date to ensure the latest security configurations are available. Employees should accept updates and patches to the operating software, enable automatic updates, and avoid jailbreaking, as tampering with the factory security settings can make the device more susceptible to attacks.

Train employees to look at the company’s security from an attacker’s point of view – what gaps might they see and take advantage of? Which technology is most at risk? For example, you could run test scenarios with your IVR (interactive voice response) system or online booking software and learn the warning signs to look out for.

2. The most significant threat comes from BYOD

Over the past few years, the practice of employees bringing their own devices to work (BYOD) has added a whole new level of threat. While your IT department used only to be responsible for organization-owned devices, they now need to be aware of different systems.

Employees will use them at home for remote or out-of-hours working, meaning you can’t just rely on monitoring in-office behavior. Combined with the increased likelihood of personal use, this can make threats much harder to detect.

Staff downloading non-work-approved apps can add additional risk, as they may inadvertently introduce malware. It is crucial to verify applications before downloading, as apps could pose potential harm to a mobile device, such as carrying malware or directing users to malicious websites. Always download apps from a well-known trusted source to minimize these risks. Meanwhile, their Bluetooth devices like smartwatches or fitbits could pose a threat even if they’re not being used for work. Adversaries can exploit WiFi network names to gather location data and other personal information, posing a threat to physical safety and security.

Many devices may be outdated when it comes to upgrades and patches, so your company needs to make sure its own security net is strong enough to encompass these. In addition, the IT department should set up and maintain an inventory of all devices being used, to make it easier to track what’s being used when and where.

Attackers are now prioritizing users on mobile devices. For example, many employees receive work emails and messages on their phones all day and night, while those who provide website maintenance or backend support may do most of their work outside normal office hours.

It’s easy to stop paying full attention and let something slip through. Therefore, training programs should ensure that employees are aware of these specific threats and demonstrate that they must not let their guard down just because they have left the office.

3. Company-owned devices are at risk, too

We’ve covered the threats from BYOD. But employees need to remember that company-owned devices can be compromised, too – even when they’re being used in the workplace. It is crucial to secure these devices to prevent them from being lost or stolen.

In fact, any device that connects through wi-fi, Bluetooth, or different systems such as order management software presents

image showing stats from a survey about most effective security processes

Image Source

Meanwhile, if organization-owned devices are handed over with full permission and admin capabilities, employees could unwittingly install malicious software or engage in risky behavior. It’s better to limit employee permissions as well as provide training, just to avoid these issues. Training should also cover the various security threats posed by mobile apps, such as the potential for endpoint vulnerabilities and the risk of users downloading malicious applications that probe devices for vulnerabilities and disclose data.

Training should also emphasize the importance of promptly reporting a stolen device and utilizing services to remotely lock or mark the device as lost to prevent unauthorized access to sensitive data.

Employees who use company devices and software are not the only ones who require training. Whoever is in charge of purchasing digital technology for your company should be able to research available products to make sure they’re trustworthy.

4. Targeted training pays off

As well as providing company-wide training, it also pays to focus on employees whose behavior puts them most at risk of causing a breach. For example, you could search logs from mobile device management systems, anti-malware tools, email security gateways, and web proxies to spot who is testing the access blockers or regularly encountering malware. Additionally, securing wireless networks when accessing company data is crucial, as unsecured wireless networks can expose personal and corporate data to threat actors.

One report suggests that 15% of successfully phished people will be targeted at least once more within the year. Individual discussions with repeat offenders will help them understand the risks they are taking and the potential costs to the business.

image about the real cost of malware infections

Image Source

In the event of a security breach or a near-miss, don’t just retrain the employee who’s responsible. Instead, see it as an opportunity to retrain everyone, reiterate the importance of mobile security – and point out that an honest mistake could happen to anyone, which is why everyone must always be on their guard.

Don’t forget those employees working from home or at different premises. Video calls are a great way to deliver training remotely; you should make sure any training program is engaging and fun. Otherwise, employees will get bored and zone out. Some ideas include:

  • Delivering a series of shorter sessions rather than one long lecture
  • Targeting small groups instead of addressing the whole company
  • Working on role plays with individuals or groups
  • Using gamification to make learning fun
  • Ensuring the content is relatable to real-life situations

You could also add digital security performance to employee appraisals to keep an eye on who’s following the rules. Tools like wfo solutions (workforce optimization solutions) help track employee performance and training.

5. Keep communicating!

Communication is vital – you should let all employees know how your security upgrades work and why they are so vital. In addition, they must understand why you need to protect their devices and safeguard against lost data. This can avoid it being seen as an infringement when you track their device or disable actions.

It would help if you bought into the mobile security being deployed by your company. Walking users through the process and what it means will reduce user error. It also helps employees feel important enough to be trusted with the complete information, creating a collaborative feel throughout the business.

This also applies to employees’ knowledge of how the different technologies work. If they understand this, they will be better placed to look for threats and to reassure customers about security measures. For example, if you’re switching to VoIP instead of a landline, they should be able to answer basic questions like ‘how does voice over IP work?’, ‘what encryption is used?’ and ‘what are the key security risks of VoIP?’

It’s essential to stay in contact with your remote team, as they may be less likely to remember the protocols when working outside the office environment. It’s also harder for managers to monitor them without the benefit of in-office conversations.

In between the training sessions, keep up regular and consistent communication. Don’t just send out vague emails about patches or upgrades – always explain how any new mobile security features will benefit the employee and the business.

Takeaways

Remember that potential attackers are constantly working on new ways to trick you, so it’s a constant battle. But if the worst does happen, there are device security solutions you can have in place ready for that day – such as remotely wiping data or retrieving information from a lost device to protect sensitive data.

To create and maintain a mobile security culture across the business, ensure every employee and every department is involved. As well as providing training, ask for regular feedback – what do employees think the risks are? Pair this with your assessment and any security consultants you bring in. Finally, use practical performance management tools to keep track of things.

Overall, this will help employees feel like they are really contributing something valuable to the business, which in turn will stimulate motivation, productivity and a more positive attitude.

Author Bio: Richard Conn – RingCentral US

Richard Conn is the Senior Director, Search Marketing for RingCentral, a global leader in unified communications and internet phone service.

He is passionate about connecting businesses and customers and has experience working with Fortune 500 companies such as Google, Experian, Target, Nordstrom, Kayak, Hilton, and Kia. Richard has written for sites such as Nextdoor and Rightinbox.

Discover

Prey's Powerful Features

Protect your devices with Prey's comprehensive security suite.