They already feel like overused, clichéd expressions: “These are uncertain times.” “We need to prepare for the new normal.” While it’s only been 8 months since those sentiments starting popping up, it already feels like it’s been years. When it comes to the security of your organization’s information, staff training is now more important than ever. Prepare them not just for what uncertainty may still lie ahead, but also for threats that are already here today.

The Everywhere Enterprise

Recently Mobileiron, a security platform provider, polled 1,200 workers worldwide to examine their productivity needs during the shutdown.  They published their results in the report The Everywhere Enterprise.  The title is a phrase coined to describe the new work experience that has replaced the office environment:  “Work takes place everywhere and data resides everywhere.”

Some of the findings were fairly predictable:

• 80% of the employees polled said they don’t want to return to the office full-time.
• 72% of employees find their mobile device important to ensure productivity while working remotely.

But the findings regarding security may cause you some concern:

• 33% of employees consider IT security “a low priority”
• 43% did not know what a mobile phishing attack was (!)

The new normal is already here

What does this all mean for you?  Well, we are likely already in some form of “the new normal”. So the time is NOW to make adjustments to maintain workplace security standards for your remote workers.   If almost three-quarters of all workers consider their mobile devices important for their remote work yet nearly half of all workers have no idea what a mobile phishing attack is, we clearly have a problem on our hands!   Training your workers how to avoid mobile phishing scams is more essential now than ever.

Why the bad guys love mobile phishing

My colleague Tim Haight wrote a post last year about why mobile phishing is so successful for cyber crooks, including

• Screen size: The smaller screen size makes it harder to see the headers of emails, where a spoofed address might be detected. It’s also more difficult to view multiple pages without toggling back and forth or hitting links.  This creates a greater chance of accidentally clicking on something malicious.
• Distraction: When users are reading messages on their phones, they may also be on other devices at the same time.  This is especially true if they are doing so as part of their remote work.  Or if checking email or text messages while out and about, and they likely have other distractions around them.  Furthermore, they may have multiple apps running at the same time, and are bouncing back and forth between them.   This lack of focus can be their downfall.
• Reaction-based interface: Mobile graphical user interfaces foster action – accept, reply, send, like, etc. – and are designed to make it easier for users to respond quickly to a request.  However, this is a double-edged sword:  A snap decision can be costly.  This is particularly since the user is also restricted in what he or she can see due to screen size and may miss clues to malicious intent.

Act now!

Dan Callahan, our VP of Global Services provided a good set of guidelines in his post on phishing protections earlier this year.   Even if some of your workers are already familiar with phishing and what to be looking out for, a “reminder session” every so often is always a good idea.   And workers specifically need to have awareness training when it comes to mobile phishing.  That’s important because today’s smartphones provide multiple points of access for scheming cyber criminals.

Besides basic phishing tactics made via email, they make sure they’re also made aware of:

• Vishing, the form of phishing made by phone calls and/or voicemail where the bad guys pretend to be from a reputable business in order to get them to reveal confidential information.
• Smishing, where text or SMS messages are used to trick them into revealing private information. I recently wrote a blog about a specific smishing campaign that impersonated the US Postal System. You may want to share it as an example of what to look out for.

Save your users – and your organization – from the damage that can be done through a successful mobile phishing attack before it’s too late.  If you need some tips on security awareness training – specifically, how to keep your users engaged — you can read our advice here and here.   Or reach out to us for more help.