When businesses think about securing their information against hackers and data thieves, computers and servers are usually the first vulnerabilities that come to mind. Company-issued laptops are likely well protected by passwords and other precautionary protocols. Also, employees tend to be fairly mindful of safe email protocol when they use company devices. A good business will provide training and detailed procedures to employees regarding actions that keep company data secure.
In most businesses, there are likely protocols in place that prevent employees from downloading unapproved apps and programs to company computers. However, unless a company cellphone policy has also been implemented, those protocols might fail to include what an employee is and is not allowed to download to their personal cellphone, even if they’re conducting company business on it.
A gaping hole in business data security that often gets overlooked is employee cellphone usage. And it’s not just a matter of employees downloading something they shouldn’t. Employees can easily be caught off guard by good old-fashioned trickery. And if you don’t have automated, technologically sound measures in place to reduce your risk of fraud via social engineering and phishing, it’s only a matter of time before valuable data is stolen.
How scammers trick employees via smartphone
In certain industries, it’s very commonplace for employees to conduct internal or external business using their personal smartphones. Therefore, it may not be a red flag when co-workers or administrators call employee phones. According to CiraSync SaaS strategist Connor Provines, lack of support on personal phones allows for a security blind spot.
Provines says, “Right now in the United States, the most frequently reported cybercrime is phishing. An employee will get a call on their phone from someone saying ‘It’s Jan from HR; there’s an issue with your paycheck. Can you give me some information so we make sure it gets to you?’”
If there isn’t an automated global address list in place for the company, workers are more likely to be tricked by someone calling from an unknown number.
“That happens thousands of times every day,” Provines says. “It’s one way huge security incidents happen.”
CiraSync can be an option to address this security vulnerability. The software connects to the company’s global address list and automatically pushes updated contact information to employee smartphones. That way, anyone calling from an unknown number who claims to be a member of the company can be disregarded.
“CiraSync closes that security gap. If the caller is with your organization, it will show up on your phone with their picture. If the call shows an unknown number, you know it’s someone pretending to be somebody else,” Provines explains.
Automation for scaling
Employees in very small companies are harder to trick with phone scams. If your business only has five people involved, those individuals are likely to have each other’s numbers saved in their phones and can recognize familiar voices.
If a business has any intention of growing and scaling, however, security vulnerabilities can start to compound. At a certain level of growth, workers aren’t going to be familiar with everyone in the system, and they certainly aren’t going to manually keep contact information up to date on their phones. Once you grow to 20, 30, or 100+ employees, you’re going to need an automated solution to protect sensitive information.
“For whatever reason, some major companies never built that bridge between the central database and endpoint users. Organizations need a third-party solution that can bridge the gap between the ecosystem and their smartphone,” Provines says.
Simply put, these companies allow a centralized global address list, but it won’t automatically push that list to employee smartphones. Similarly, contact information in certain apps won’t automatically flow through to personal smartphones. CiraSync fulfills that missing automation component.
Closing the forgotten security gap
More employees than ever are using personal devices in the workplace. In data collected before the COVID-19 pandemic, 95% of companies allowed workers to use personal devices for business purposes. And even if a company has an office phone system, up to 75% of employees forward work calls to their personal smartphones.
Even though business is conducted on personal smartphones, very few organizations have oversight of those devices. So while company-issued computers, email systems and data servers tend to get the bulk of IT professionals’ attention, those precautions won’t protect anything if a scammer can get it directly from a human.
It’s like guarding a bank. You can have the most secure building with the thickest vault doors, but none of that matters if someone with the keys opens it up and hands the money to the robbers when they ask for it.
So if your business hasn’t considered the security of personal smartphones being used for business and interoffice communication, that’s a problem. Implementing automations to help employees distinguish genuine calls from phishing attempts is relatively easy to accomplish and can keep data secure.
