Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

Inadequate security on mobile phones and tablets exposes UK businesses to massive risk: new research by PwC/InfoSecurity Europe

Organizations large and small are failing to respond to the culture of employees using their own mobile devices for work and are opening up their systems to security risks. These are the preliminary findings of the 2012 Information Security Breaches Survey (ISBS) written by PwC in conjunction with Infosecurity Europe and supported by the Department for Business, Innovation and Skills. The results will be revealed in full at Infosecurity Europe on 24 April.

Previewed results include:

  • 82 percent of large organizations reported security breaches caused by staff, including 47 percent who lost or leaked confidential information;
  • Only 39 percent of large organizations encrypt data downloaded to smart phones and tablets;
  • 54 percent of small businesses (38 percent of large organizations) don’t have a security awareness programme;
  • While 52 percent of small businesses say social networking sites are important to their business, only 8 percent monitor what their staff post on those sites.

Some 75 percent of large organizations (and 61 percent of small businesses) allow staff to use smart phones and tablets to connect to their corporate systems and yet only 39 percent (24 percent of small businesses) apply data encryption on the devices. A substantial 82 percent of large organizations (and 45 percent of small businesses) reported security breaches caused by staff and 47% (20 percent of small businesses) lost or leaked confidential information, showing this is not a threat they can ignore. Personalisation is creating new security threats, from both malicious software and data loss, the survey shows, and organizations that allow personally owned devices tend to have weaker controls than those that allow corporate devices only.

Chris Potter, PwC information security partner, said:

“With the explosion of new mobile devices and the blurring of lines between work and personal life, organizations are opening their systems up to massive risk. Smart phones and tablet computers are often lost or stolen, with any data on them exposed. Mobile devices can literally drill straight through your security defences, if you’re not careful.

“However, organizations aren’t responding to these new challenges. Just as we saw a decade ago with computer viruses, companies are slow to adjust their controls as technology usage changes. It’s vital to tell your staff about the risks. If you don’t, your own people could inadvertently become your worst security enemy. It’s clear how important smart phones and tablets have become - as confidential data is increasingly stored on them, the chance of data breaches increases.”

Alarmingly, 54 percent of small businesses (and 38 percent of large ones) don’t have any kind of programme for educating their staff about security risks. Only 26 percent of respondents with a security policy believe their staff have a very good understanding of it while 21 percent think the level of staff understanding is poor. Indeed, 75 percent of organizations whose security policy is poorly understood had staff-related security breaches in the last year.

One in seven organizations that give a high or very high priority to security haven’t written down their policy; most of these are small businesses that rely on word of mouth instead, but only a third think their staff fully understands it. Those companies that have invested in staff awareness training meanwhile are reaping the benefits – they are four times as likely to have staff who clearly understand the security policy and half as likely to have staff-related security breaches as organizations that don’t train their staff.

Chris Potter, PwC information security partner, said:

“Setting out your security is essential to ensure staff know what risks to look out for, how to handle data appropriately and what to do if a breach occurs. The root cause of security breaches by staff is often a failure by organizations to invest in educating staff about security risks. Yet organizations are failing to promote a culture of security awareness so staff are often unaware of the risks they’re posing.

“Often, breaches occur through ignorance rather than malice. Possession of a security policy by itself does not prevent breaches; staff need to understand it and put it into practice. The survey results show a clear payback from security awareness programmes – education leads to greater understanding which in turn leads to fewer breaches. Unfortunately, the survey results also show that it often takes a serious incident before companies train their staff.”

The survey suggests that with their increasing dependence on social networking sites, organizations are targets. Half of the organizations surveyed say they think social networking sites are important to their business, up from only a third two years ago. Yet, controls aren’t keeping pace. For example, only 8 percent of small businesses (and 13 percent of large ones) monitor what staff post onto social networking sites.

Chris Potter, PwC information security partner, said:

“Given how important social networks have become over the last few years, it’s surprising how little the control techniques used have changed. Large organizations - especially in financial services - rely on blocking social media sites rather than monitoring their use while half of small businesses don’t even have basic web blocking and logging software.

“Companies are now much more dependent on the relatively anarchic information flows within social networks. Above all, dependence on the Internet is at an all-time high, which organizations often find out the hard way. Many are opening up their systems but doing little to mitigate the risks.”

The survey findings are based on responses from security professionals in 447 organizations spread across all industry sectors, of which roughly a fifth were from the public sector.


•Date: 18th April 2012 • UK •Type: Article • Topic: ISM

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here