The results of a YouGov survey released by WinMagic Inc. highlight the risks to corporate data from BYOD (bring your own device); lack of encryption and inadequately protected devices put corporate data and networks at risk.
The survey of UK office workers found that 42 percent use devices not provided by their employer to work with corporate e-mails and files. Half (52 percent) also use personal online accounts, such as Enterprise File Sharing Services (EFSS) to store or access work files: with only 34 percent saying they have never done so.
Office workers claim to use a wide range of personal devices to store or access work files and systems including laptops (30 percent), smartphones (22 percent) and USB Storage devices (17 percent). The top three personal online accounts used by office workers to store and access work files are Hotmail (14 percent), Gmail (13 percent) and Dropbox (10 percent).
These devices often lack the same level of security that an enterprise would employ, putting corporate data at risk. For example, only 52 percent of respondents protect all their devices with up to date security software. Although it is the employee’s responsibility to protect personal devices, employers need to do more to control and protect the way in which corporate data is moved. Otherwise, data leaves the organization without the correct security controls in place – ultimately it should always be under the protection of the organization, even when it exits the firewall.
Corporate data unprotected ‘in the wild’
Only 18 percent of office workers surveyed said their employer always encrypted the files accessed through personal devices or stored on personal online accounts. Working on data remotely helps employees be flexible and productive, however, one of the most common ways for data breaches to occur is through the loss of a device. An unprotected device, with unencrypted corporate data may include credit card, medical, or other personal customer data, as well sensitive corporate data and systems, open to use by unauthorised individuals. Such losses and limited protection, can lead to identity fraud and a company failing to meet the standards expected by regulators. The EU General Data Protection Regulation (EU GDPR), will apply to UK companies from 2018 that are ‘controllers’ or ‘processors’ of European personal data, regardless of the UK decision to leave the European Union. There are stringent rules on the management of personal data, and hefty fines for failures that lead to a breach, accidental or otherwise. Personal data will include identifiers such as an account numbers and even IP addresses.
Mark Hickman, Chief Operating officer at WinMagic, commented: “IT departments need to consider carefully how they strike the balance between giving employees the flexibility they need, and ensuring the security of corporate data. Achieving that requires a combination of software and employee education, to help improve personal IT habits that are out of control of the workplace. This is one of many areas where encryption can play a key role, protecting data stored in the cloud and on remote devices, on personal as well as corporate accounts. Encryption remains the last line of defence, when an online account is breached or a device lost.”
Passwords still a risk
Recently publicised data breaches are just a few of the examples that have led to millions of usernames and passwords getting into the hacking community. With, 26 percent of office workers admitting they use the same password for some of their work account and personal online accounts, hackers are gaining direct access to both employer and personal accounts. 5 percent stated they use the same passwords for all work and personal accounts.
Despite admitting the failings of their home security habits, 20 percent of office workers stated their company allows the use of personal online accounts and devices to access work files, if employees have adequate security software installed. A further 35 percent confessed that they should not use personal accounts and hardware at all according to their company policy.
Hickman continued, “Employees are simply trying to get their job done as efficiently as they can, but are often unaware of the risks they could be exposing their employer to. With effective device and encryption management strategies, IT departments can provide transparent and frictionless protection to data, without hampering the productivity of the workforce.”