Despite 84% of CIOs and IT managers of large UK organisations believing that user-owned devices - such as iPads, tablets, laptops, or smartphones – represent an important, growing security risk, over half (51%) allow the use of such devices for work. This is amid a spate of high profile IT security incidents in the UK and abroad, and the increasingly aggressive targeting of mobile devices by cyber criminals.
That’s according to an independent study commissioned by Dimension Data, which shows that an alarming 39% of the businesses that allow user-owned devices do not use encryption - a fundamental IT security measure - to protect the corporate data on them. The report also reveals that 82% of respondents agree that opening up corporate data to employees to support mobility and productivity significantly increases the risk of serious, damaging security incidents. Yet around one in five (17%) of organisations that support remote or mobile working don’t have anti-virus protection on their mobile devices, and a third (34%) don’t have anti-spam.
Chris Jenkins, Security Solutions Line of Business Manager, Dimension Data UK, says: “Too many businesses are leaving the door to their corporate data wide open, so it’s no surprise our study shows that the biggest cause of data loss is via accidental loss by employees. If you allow employees to connect their own devices to the corporate network, you have to accept that company data will be stored on them when the user leaves the premises. High-value smartphones, laptops and tablets are prime targets for thieves and can be compromised by malware, potentially making it easier for attackers to steal logon credentials, account details or commercially sensitive information. Unless you have plans to protect data against this threat, by using security measures such as encryption, you’re risking accidental or even malicious losses.”
Importantly, even the businesses that don’t allow user-owned devices at work are likely to have the same data security challenges as those that do, as employees are bringing their own gadgets to work anyway. A recent global study*** found that 95% of respondents use at least one self-purchased device for work. “Completely unmanaged mobile devices connecting to the corporate network are obviously a greater security risk than sanctioned, managed devices,” says Jenkins, “so their growing presence at work makes this issue even more critical.”
According to Jenkins, protecting business-critical data is, unfortunately, harder today than it has ever been. “Traditionally, IT departments could treat the business as a fortress, and simply protect the corporate network from any outsiders gaining entry. This approach, however, is not suited to today’s business environment. Lock the network down, and you may as well shut up shop – nobody will be getting any work done. The challenge is to secure data when the network is increasingly porous, and workers, suppliers, partners and so on are taking the business equivalent of the crown jewels out of the tower on a daily basis, using an increasing variety of devices.”
Rob Ayoub, Global Program Director - Information Security research at analyst firm Frost & Sullivan, says: “Businesses need to go back to basics, and deploy primary security measures such as encryption and up to date security policies, as a matter of urgency. The good news is that basic security measures can be put to good effect, if deployed to meet current threats. However, they are only part of the solution: businesses will need to consider more advanced measures, such as port control and Network Access Control (NAC), to mitigate risks including the accidental or malicious dissemination of data from devices while they are still in the possession of the employee.”
Dimension Data’s Jenkins insists that organisations can strike a balance between data security the productivity benefits of allowing employee-owned devices at work. “It’s a matter of balancing the employee benefit of using their device for corporate access against the business requirement for data security. For instance, a business could supply encryption software free of charge to the employee on the basis that they accept that the business retains the ability to remotely wipe the device if necessary. The organisation could then use more sophisticated protection, such as Network Access Control (NAC) to allow authenticated and profiled devices onto the corporate network and unauthenticated devices only Internet access.”
Louise Taylor, Senior Associate at international law firm Taylor Wessing, adds: “Protecting data on mobile devices is not simply a matter of deploying appropriate security technology - although such technology is crucial. Businesses may also need to update their IT or other employee policies to clarify their data security practices regarding the use of mobile devices and the related employee obligations. Employees need to understand and buy into the importance of securing confidential and personal data in order to minimise the legal and other risks arising from data loss or security breaches.”
Taylor continues, saying: “If an employee is using a device for work, both the business and the employee have legal obligations to protect confidential information and personal data. These obligations apply regardless of whether the employee or the business owns the device.”