Nexon blog - “Dad, gimme your phone?” Who sneaks in while the kids are gaming at a BBQ?

We’ve all done it, especially over the silly season. Christmas shopping, at a BBQ or juggling work deadlines, we hand over our unlocked phone or laptop to the kids for a bit of peace and quiet. But when work devices get involved, the risks are real.

Popular games like Roblox, Minecraft, Fortnite, Pokémon Go and hundreds of others can be great fun for kids (and, ahem, adults), but business and pleasure don’t always mix.

In my security work, I’ve seen sharing of work devices lead to serious breaches, including cases where a single breach caused weeks of downtime and significant costs. The risk is here and now.

It's game on for hackers

Picture this: your niece is playing a popular adventure game using your work phone. Up pops an in-game purchase, maybe “Infinite Health” or exclusive silver shoes. You, of course, refuse to pay the $5 in tokens.

Your savvy young gamer immediately searches for “free Infinite Health hack” and downloads it. Armed with infinite lives, it’s game on for your niece.

Behind the scenes, it’s also game on for cyber criminals who specifically target this common vulnerability. The “hack” contains malware that probes your device for access to corporate networks, passwords and data, sometimes lurking dormant until an opportunity arises.

And it’s not just gaming. Employees send spreadsheets to personal email accounts, download unauthorised apps for convenience, or share sensitive information with AI chatbots outside corporate guardrails. Others work from holiday locations on unsecured café wifi or leave devices on trains, particularly on the way home from a Christmas party.

Life happens, especially during the silly season

Of course, security consultants like me will tell you to only use personal devices for non-work activities, and your IT department will have policies against it. But it’s not fair, or wise, to pin this all on individuals. Nagging, convenience, human nature and general silly-season chaos mean these rules will inevitably be broken.

In fact, every single organisation we tested this year had preventable vulnerabilities, and people remained the most exploitable entry point. In Nexon’s latest Cyber Security Report, covering penetration testing across 126 Australian organisations, 83% of phishing attempts successfully captured credentials, and 60% of simulated attacks went completely undetected by monitoring teams.

Once attackers gain initial access, 72% of our tests escalated to domain admin control, effectively giving them the keys to the kingdom.

Guardrails to find more peace on earth

The reality is that we have to accept some level of risk. But there are practical ways IT and security teams can put guardrails in place.

Quick wins you can implement now:

Enable MFA everywhere

Make sure it’s configured for every account and service.

Nexon blog - Use conditional access policies - Enable MFA everywhere

Use conditional access policies

Block access from unusual locations or outside business hours, err on the side of caution.

Nexon blog - Nexon blog - Dad, gimme your phone - Use conditional access policies

Separate networks

Segment corporate systems so a compromised device can’t access everything.

Nexon blog - Dad, gimme your phone - Separate networks

Restrict applications

Use white listing to ensure only approved corporate apps can run on devices to help prevent unauthorised downloads.

Nexon blog - Nexon blog - Dad, gimme your phone - Restrict applications

Deploy 24/7 monitoring

As I wrote recently, credentials are your new perimeter, but monitoring tools are only effective if someone is watching the alerts and responding

Nexon blog - Nexon blog - Dad, gimme your phone - Deploy 24/7 monitoring

Implement backup and disaster recovery

When breaches happen (and it’s when, not if), quick recovery minimises damage.

Nexon blog - Dad, gimme your phone - Implement backup and disaster recovery

Train your staff

Run some extra sessions to make them aware of risks around downloads, personal device usage and shadow IT.

Nexon blog - Dad, gimme your phone - Train your staff

Longer-term investments worth considering:

  • Security audit or Essential 8 assessment to understand your current security maturity.
  • Regular penetration testing to test your defences before attackers do
  • Incident response planning so you know exactly what to do when something goes wrong

Not sure where your organisation sits? A cyber security assessment can identify which of these measures will deliver the most immediate protection.

Nexon - Matthew Boulenaz

Mathew Boulenaz is Cyber Security Pre-Sales Lead at Nexon Asia Pacific. For more information about credential monitoring, SOC services and assessing your security posture, contact us at nexon.com.au/nexon-cyber

Learn more

More articles to explore

Nexon - The true cost of disconnected systems in professional services - Banner 1
Blog
Blog

The true cost of disconnected systems in professional services

14 April 2025
Nexon
The true cost isn't just what your professional services firm is losing today—it's the opportunities you'll miss tomorrow. Gain key insights on how a unified...
Read more
Search Hacked warning on laptop Concept of privacy data being hacked and breached from internet technology threat. 3d rendering
Blog
Blog

Rylan Painter shares takeaways and advice from the ACSC Annual Cyber Report 2022

6 December 2022
Rylan Painter
The ACSC recently published their Annual Cyber report, outlining the key changes in the deployment of online attacks used to penetrate the cyber defences...
Read more
Nexon blog - What the Australian Government’s Cyber Security Strategy means for business leaders
Blog
Blog

What the Australian Government’s Cyber Security Strategy means for business leaders

14 April 2024
Paul Edmondson
The flurry of news and noise around cyber security can be deafening. As business leaders, how do we stay current? Being up to date is vital to my role,...
Read more