By Terry Greer-King
Newton’s first law of motion states that a moving body will want to keep moving. The same law also seems to apply to business data on mobile devices: once the data is in motion, it has a habit of keeping in motion, and potentially falling into the wrong hands.
What’s more, it’s a problem that is quickly getting out of hand. In April 2013, we surveyed nearly 800 IT professionals worldwide about mobility and mobile device usage in their organizations. Of those professionals, 79 percent said they’d had a mobile security incident in the past 12 months.
In many cases, these proved very expensive: 42 percent of businesses reported that mobile incidents had cost them more than $100,000 in the past year in staff time, legal fees, fines and remediation. Surprisingly, 16 percent reported that incidents had cost them over half a million dollars.
While the numbers of incidents and associated costs may seem high, the survey offers an explanation: 88 percent of respondents said the number of personal mobile devices connecting to their organizations’ networks had more than doubled in the past two years.
And those devices carry a range of sensitive information: the most common types of data held of personal smartphones and tablets were business email (88 percent), contact information (74 percent), corporate calendars (72 percent) and customer data (53 percent).
Uncontained and unmanaged
The challenge of securing mobile devices has grown to the point where it is overwhelming some IT departments – so much so, that many BYOD smartphones and tablets are being left unmanaged, despite the evident risk of data breaches and losses.
The survey found that 63 percent of respondents said they had not even attempted to manage corporate information on employee-owned devices, with just 23 percent use mobile management tools or a secure container on the device.
Why have security strategies to protect data and assets on employee-owned devices fallen behind? Part of the reason is because IT teams don’t have endless time and resources to invest in securing mobility. They have to prioritise – and unfortunately the influx of employee devices is racing ahead of the resources available to manage them.
Those organizations may be relying on employees being security-conscious in processing corporate data on their personal devices — and many employees will be. But employees are typically focused on working more efficiently and getting their jobs done, not on whether their actions might create a security risk. Most of the time, there is no malicious intent by the employee and the data remains in the proper hands.
But inadvertent, accidental losses will still occur. In our survey, 66 percent of IT professionals said they felt that careless employees posed a greater security risk to their organizations than cybercriminals.
It’s the content, not the device
So how should organizations approach protecting their sensitive data against the risks of loss or theft from employees’ mobiles? Part of this involves making users aware of the organizations’ data security policies and of the possible consequences from data losses, through education.
Also, focus should be placed on identifying, isolating and encrypting business data, wherever it resides. This way, even if a well-intentioned user copies corporate data onto their device, or accesses the data via email or another app, it will remain secured against loss.
Better still if the process of securing the data can be automated as a matter of policy so that it’s protected in any circumstance — whether copying files to a mobile device, or distributing files by email, and so on. The less the user is aware of the security solution — and latest-generation products are very unobtrusive in action — the less it interferes with their workflow, and the more secure your data becomes.
The key point is that organizations should not need to concern themselves with having to managing a wide range of employees’ personal devices: just with the business data that may find its way onto them.
Managing devices can interfere with employees’ application user experience and their privacy, which in turn can lead to people trying to work around the organization’s policies.
Focusing solely on managing the business data simplifies the BYOD issue, as the device being used to access the data is of less importance, as long as the data is secured and the person using that data has the appropriate permissions to do so. This ability to enforce data security policies is critical, as it lifts much of the burden of managing the proliferation of devices from IT teams.
The authors is the managing director for United Kingdom of Check Point Software
