Many organizations are struggling to manage mobile working risks
- Published: Thursday, 16 March 2017 10:55
By Jon Fielding
A new survey has identified mobile working as a major area of risk, with many companies uncertain about how to enforce adequate security policies and having no viable strategies in place. As mobile devices extend the boundary of the corporate network, ensuring confidentiality, integrity and availability of the data that the devices store, process and access is a constant challenge.
The survey, conducted for Apricorn by Vanson Bourne, collected responses from 100 IT decision makers across the UK. It highlights a lack of rigor and consistency when it comes to protecting data, with 70 percent of respondents agreeing that securing corporate data is an ongoing battle, In fact:
- 29 percent of surveyed organizations have already experienced either a data loss or breach as a direct result of mobile working;
- 44 percent of surveyed businesses expect that employees will lose data and expose their organization to the risk of a data breach.
The number of employees in the UK who say they usually work from home has increased by nearly a fifth over the past 10 years to reach a record 1.5 million, according to analysis published by the TUC in May 2016. As these numbers increase, so too does the risk. Mobile working is a major problem as almost half of the companies surveyed say employees are one of their biggest security risks. Worryingly, 53 percent said that managing all of the technology that employees need and use for mobile working is too complex, while 35 percent complain that technology for secure mobile working is too expensive.
It is the responsibility of company executives and their IT departments to ensure that company data, wherever it resides, remains secure. However, one in ten companies with over 3,000 employees do not have a security strategy that covers remote working and BYOD, and an equal number say they don’t have a strategy that covers removable media such as USB sticks. Removable devices such as compact flash drives can pose a huge problem for businesses, not only because they are easy to lose or steal, but also in terms of the malware they can introduce to networks. If organizations have no way of enforcing relevant security strategies on these devices, it is almost as risky as having no policies in place whatsoever.
Despite some of the survey respondents having defined security policies for mobile working, 68 percent say they cannot be certain that their data is adequately secured when employees work remotely or on mobile devices. Encryption is the most viable option for organizations to protect valuable data outside of the corporate network, whilst also balancing control and accessibility. However, only a third of those surveyed say they enforce hardware and software encryption of their data, and 12 percent do not have any policy at all regarding encryption for data that is taken away from the office.
It is not only company policies that employees need to be wary of. There are numerous compliance mandates and regulations that organizations must adhere to in order to keep confidential data secure. In 2018, the European General Data Protection Regulation (GDPR) will come into force, replacing the 1995 Data Protection Directive, and fines of up to €20 million or 4 percent of global annual turnover will be introduced. Under the new rules, EU citizens will have much more control over their personal data. The request for their consent must be explicit, the reason for collection of their data and how it will be used and stored must be clear, they have the right to demand their data in a portable format and they have the right to request that all their data is deleted from the system. Businesses must have systems and processes in place to comply with citizens’ rights, or risk fines. The GDPR also introduces specific breach notification guidelines.
The financial and reputational impact of a data breach are obvious examples of the damaging consequences that can result from lapses in information security by home workers, yet the survey found a distinct lack of awareness amongst UK companies when it comes to the GDPR requirements. Disturbingly, almost a quarter of the surveyed organizations are not even aware of the GDPR and its implications and of those that are aware, 17 percent don’t have a plan for ensuring compliance.
Organizations need to ensure they have a secure information management process in place that encompasses home and remote working. Implementing an agile set of security policies that can be adopted and adhered to by the entire organization will demonstrate that they have taken necessary action to mitigate the risks to their sensitive information.
To enable employees to work remotely, businesses also need to enforce security policies, the deployment of corporate approved devices and, importantly, data encryption on those devices; all of which can reduce the risks posed by a remote and mobile work force. Equally, education and responsibility are crucial to preventing a potentially devastating data breach and will allow businesses to address compliance mandates such as the impending GDPR.
Jon Fielding is the Managing Director of Apricorn in EMEA and brings extensive experience in growing companies in the EMEA market. Jon is responsible for the sales & operations strategy, driving revenue growth and establishing the channel network in the region.
Jon is CISSP certified and has been focused on information security for the past 18 years, working with a variety of organizations from IBM to security start-ups such as Valicert and Tumbleweed.
Jon joined Apricorn from IronKey where he worked exclusively in the secure USB market having established the Ironkey office in EMEA eight years ago as the first in the region. During his tenure, Ironkey was acquired by Imation and then by Kingston.