Sapsiwai - Fotolia

Employees’ use of personal devices puts firms at risk of malware infection, says report

Downloaders care about their own security while grabbing pirated content, not that of their employers

Six in ten UK employees are putting their businesses at risk of malware infection by using their personal devices to access corporate networks and illegal pirated content, a study has revealed.

Although 80% of those accessing the content consider the personal security risks of doing so, only 60% consider the security implications for their employers, according to a study commissioned by threat management firm RiskIQ.

“Pirate sites are an easy way of distributing malware so it should be a major concern for corporate security teams that so many individuals don’t consider the security implications,” said Ben Harknett, vice-president for Europe at RiskIQ.

Our study of piracy sites for the Digital Citizens Alliance “revealed that individuals who stream or download pirated content online are 28 times more likely to get malware than those who use legitimate services to obtain content”, he said. 

“For corporate security this is a 28-times higher risk of malware making its way into the corporate network from employees’ own devices,” Harknett added. 

The study also revealed 33% of piracy sites had at least one malware incident within the four-week period studied, while 20 of the sites exposed 75% of visitors to malware.

Of the malware found, 45% was drive-by downloads, where the visitor to the site does not need to click on anything after arriving, infecting users silently and often going completely undetected. The remaining 55% of malware lured users with prompts to download Adobe Flash or anti-virus updates.

The top reasons given for downloading or streaming pirate content are because it is free (23%), it is available before paid content (13%), the belief that all content should be free (12%) and the content people are trying to access is not available in any other way in the region (10%).

Read more about security awareness

  • UK organisations are putting their reputation, customer trust and competitive advantage at greater risk by failing to provide their staff with effective security training, a study reveals.
  • Cyber security awareness is still in its infancy in most organisations despite the quick returns it can deliver, says the Sans Institute.
  • A continual security awareness training program is important for an enterprise’s culture.
  • Security awareness training can be effective, but how should enterprises select the right third-party program?

Graeme Grant, head of internet anti-piracy operations at worldwide recording industry association IFPI, said research has shown that cyber criminals have used content, such as music, as a way to compel users to download malicious applications.

“Once installed, many users unwittingly grant the malicious application excessive permission, thereby allowing an attacker to gain access to information on the device which could compromise the security of both the user and the corporation.

“Our own findings have been corroborated by the study that RiskIQ has carried out, showing that there is a definitive need for businesses to prevent user access to pirated content and those applications that facilitate such access,” he said.

Harknett concluded that organisations need to educate employees on the cyber risks of using pirate content sites and the potential consequences to the organisation.

Read more on Security policy and user awareness