To celebrate the launch of CyberSmart Active Protect for mobile, we commissioned a survey asking 250 UK CEOs from companies with under 250 employees about their mobile security habits. We hoped to find out how the UK’s small businesses are tackling mobile security threats, what their security looks like, and whether there were obvious areas for improvement.
Our resulting SME Mobile Threat Report makes for illuminating and, at times, sobering reading. Here are our key takeaways.
1. Most small businesses expect staff to use mobile phones for work
Bring your own device (BYOD) policies can offer dramatic CapEx savings. And, unsurprisingly, this is a very attractive proposition for small businesses with tightened belts. Therefore, it’s no surprise that 60% of organisations expect their employees to use mobile devices to carry out work tasks, despite not providing all of them with work phones. Indeed, 65% of those businesses that don’t provide all staff members with mobile phones expect staff to use personal devices.
There’s nothing wrong with this in principle. Why wouldn’t you take advantage of devices your people already own, rather than investing heavily? However, as we’ll see shortly, it can pose some problems.
2. Many SMEs don’t have a mobile code of conduct for staff
Behaviour is essential to any successful BYOD policy. Staff need to understand what’s expected of them from a security perspective to work safely.
For example, you might enforce a policy that staff must never connect to an unsecured Wi-Fi network without using a VPN. A clear code of conduct or security policy can help prevent your business from being exposed to unnecessary risks.
So it’s concerning to see that while 59% of small businesses do have a code of conduct for completing work-related tasks on personal devices, over a third (39%) don’t.
3. Most SMEs don’t offer mobile security training to staff
Although it’s concerning that many small businesses are implementing BYOD programmes without clear security and conduct policies in place, we came across an even bigger problem.
The majority (59%) of our respondents said that they don’t provide any mobile phone security training for staff. Without training on how to identify and avoid cyber threats or what safe online behaviour looks like, these businesses are courting potential disaster.
According to research from Cybint, 95% of cyber breaches stem from some sort of human error, or, in simple terms, could have been prevented. This is also backed by older research from Stanford University and Tessian which puts the figure at 88%.
Whichever figure you prefer, that’s a lot of preventable cyberattacks. And,
by not providing security awareness training to staff, it’s exactly these kinds of breaches that small businesses are risking.
4. Over a third of SME staff have clicked on a malicious link
Interestingly, many of our concerns around SMEs neglecting staff training and policies are born out later in the Mobile Threat Report.
According to the Department for Science Innovation & Technology (DSIT), 84% of all UK businesses have received some kind of phishing attack in the last 12 months. So, we asked SME leaders whether they or anyone at their business had clicked on a malicious link via mobile.
Although almost half (47%) of small business leaders responded no, some 38% reported that someone within their business had clicked on a phishing link – still a high number. What’s more, the real figure is likely to be somewhat higher given that a further 15% were either unsure or preferred not to answer.
This poses a real risk for small businesses. The UK has lost £1.7 billion to phishing scams in the last year, while the average cost of a breach to an SME ranged between £2,240 and £17,190. Worse still, phishing scams are often used to launch much nastier cyber threats such as ransomware and banking trojans.
5. SME staff are engaging in risky behaviour
Perhaps unsurprisingly given the problems we outlined earlier, the day-to-day cyber hygiene of SME staff raises concerns.
For example, a quarter of respondents admitted using a mobile device for work at a public charging station (e.g., at an airport or café), and 36% of respondents have worked from a public WiFi network on a mobile device. A further 9% admitted to forwarding corporate data to a personal account, and 11% admitted to storing corporate passwords or log in credentials on a mobile device without encryption.
This risky behaviour suggests low mobile security awareness among employees and a clear lack of concrete policies.
The good news? These risks are easy to mitigate
We’ve painted a pretty bleak picture of UK SMEs’ mobile security. And, it’s true, our research indicated some areas of real concern. However, the good news is that all of the issues our survey revealed are easy to mitigate.
To find out how, read our full report here.