Celebs hacked! Why HR should take note

Hollywood's A-listers recently found their personal files exposed to the world – now one organisation is warning employers to learn the lesson as their private data could be just as vulnerable to hacking.

The hacking of celebrities' personal accounts and subsequent posting of intimate photos on the web has once again raised the issue of mobile security.

And, while many may shake their heads in disbelief at the A-listers foolishness, one cyber security organisation is urging employers to learn from the incident.

Craig Searle, Head of Cyber Security APAC at BAE Systems Applied Intelligence told HRM Online employers should be concerned as while the hackers accessed photos it implies that they were also able to access other information but chose not to release it.

“There is a huge amount of data that gets saved on employees' mobile devices. Consider pictures taken of whiteboards at meetings that may have customer data, documents downloaded, business contacts data, and so on,” Searle explained.

“Furthermore, tools such as iCloud, Drive, Dropbox and the like are frequently used for out-of-band storage for miscellaneous content. Mobile devices can be a treasure trove for cyber criminals who are looking for sensitive and business critical information."

Searle agrees that allowing staff to use their own devices can offer major benefits to a business but the risks need to be understood and managed. Therefore it is important policies are developed and reinforced by HR to employees.

“Employers need to have appropriate security measures in place to counter potential attacks. However, it is very difficult for them to implement technical controls if employees are not aware of the possibility that their personal devices and behaviour can have an impact on their organisation. Employers need to educate employees as they play a key role in keeping the organisation’s cyber security risk at a minimum,” Searle said.

He added that organisations can’t assume staff will be vigilant in protecting their own devices or company-provided devices.

“Unprotected devices holding sensitive information offer a 'soft target' to cyber criminals looking to extract valuable company secrets,” he said.

“An employee might install a malicious app on their mobile device which then 'eavesdrops' on all subsequent communications. If they then connect a compromised device to the corporate network, this can be a backdoor route to let a determined criminal mount an even wider-ranging attack. In this way the internet browsing behaviours of employees even when they are not at work can have major implications for their organisation.”

Searle recommends the following steps to keeping data safe from cyber criminals:
1. Implement and enforce a strong security policy
Organisations should conduct a prioritised assessment of the risk that any mobile device, whether company-owned or BYOD, represents and develop a clear policy explaining how employees should use devices and setting out the security measures to protect information. Properly thought-through security will provide benefits to employees without unnecessarily impacting on the use of their personal devices.
2. Educate employees
Businesses must educate employees about the risks of using their own devices and prioritising convenience over security. An obvious step would be education about the risks of using open, unencrypted Wi-Fi connections. This is one part of getting employees to care about security and understanding that they have an important role to play in keeping the organisation’s cyber security risk to a minimum.
3. Implement appropriate security controls
Traditional mobile device management solutions will go some way to protecting companies, but there is much more that businesses can do. Businesses should install a multi-layered security model that includes device configuration and management, appropriate secure connection methods, on-network content filtering solutions, and ongoing monitoring of corporate networks.
For example, an appropriately encrypted VPN service could be used on untrusted networks. This can be combined with a global, cloud-based security solution that can scan the content, source and destination address by using specialised detection methods which block security threats and unacceptable content.