In a MIDMRKT Suite Survey of 212 IT executives in the midmarket, 76% of organizations allow for individually liable devices. In fact, of those 162 organizations, there are nearly 90,000 devices being used by employees for personal AND business use.
How many of those devices have the “WhatsApp” downloaded today?
Let’s review some daunting facts:
- Three years ago, Facebook exposed the world to Russian trolls filtering fake news stories to billions of people. Read Article. This displayed a vulnerability that the general population more or less accepted.
- Last year, they were found giving free data to outside organizations, such Cambridge Analytica. Read Article. Some users were upset, but not enough to really impact the organization. Many users simply changed some privacy options in their profile and continued socializing.
- This week, a billion phones with the application WhatsApp have been exposed to a huge security vulnerability. FYI…Facebook owns WhatsApp. They are telling us to ‘update the app and all should be good.’
Three strikes you’re out?
After the first strike, Facebook assured the general population that they wouldn’t let this happen again and an awareness campaign was set to educate users about fake profiles and news…sounds a lot like “Cybersecurity Awareness Campaigns”, right?
On strike two, we saw Zuckerberg apologize to congress and assure us once again that we are safe to continue our daily online mingling, but even this year more investigations are popping up about the extent of data sharing by Facebook. Read Article
Strike three exposes a huge threat to companies who are also trying to manage a cultural shift, allowing for mobility and flexibility in the workforce.
Three questions a security leader needs to ask today:
- If there was a point of exposure in the WhatsApp application, what other apps have been breached without our knowing?
- How many employees check Facebook on company devices? Who’s to say a zero-day attack can’t come from a site that has shown a clear disregard for security? Check out our last blog about zero-day attacks
- What’s our policy for personally liable devices? Perhaps, it’s time to update it?