UK organisations are struggling to get the basics right when it comes to securing mobile devices – especially employee-owned devices - at work. An alarming 39% of UK businesses that allow employee-owned devices at work do not use encryption to protect the corporate data on them. And 17% of organisations that support remote or mobile working don’t have anti-virus measures on mobile devices, and 34% don’t have anti-spam. This is despite the recent spate of high profile IT security incidents in the UK, and abroad, and widespread acceptance of the mounting security risks arising from the use of mobile devices at work*.
That’s according to an independent study commissioned by Dimension Data, which shows that over half (51%) of large UK businesses allow the use of employee-owned devices - such as iPads, tablets, laptops, or smartphones - for work. It also reveals that CIOs and IT managers accept that user-owned devices represent an important, growing security risk: 84% of all respondents agree that the use of such devices at work significantly increases the risk of serious, damaging data leakage incidents. Similarly, 82% agree that opening up corporate data to employees to support mobility and productivity does the same.
Chris Jenkins, Security Solutions Line of Business Manager, Dimension Data UK, says: “The mounting challenge facing businesses is that, although the need to protect data security hasn’t changed, the means of protection must change in response to how the means of access are constantly changing. Our study - and the steady stream of major data loss incidents - shows that businesses are playing catch-up. They are struggling to control corporate data when the network perimeter is increasingly porous, and workers, suppliers, partners and so on are taking the business equivalent of the crown jewels out of the tower on a daily basis, in a multitude of ways.”
Importantly, even the businesses that don’t allow user-owned devices at work are likely to have the same data security challenges as those that do, as employees are bringing their own gadgets to work anyway. A recent global study*** found that 95% of respondents use at least one self-purchased device for work. “Completely unmanaged mobile devices connecting to the corporate network are obviously a greater security risk than sanctioned, managed devices,” says Jenkins, “so their growing presence at work makes this issue even more critical.”
Rob Ayoub, Global Program Director - Information Security research at analyst firm Frost & Sullivan, says: “Businesses need to go back to basics, and deploy primary security measures such as encryption and up to date security policies, as a matter of urgency. The good news is that basic security measures can be put to good effect, if deployed to meet current threats. However, they are only part of the solution: businesses will need to consider more advanced measures, such as port control and Network Access Control (NAC), to mitigate risks including the accidental or malicious dissemination of data from devices while they are still in the possession of the employee.”
Dimension Data’s Jenkins insists that organisations can handle data security in a way that embraces employee-owned devices. “It’s a matter of balancing the employee benefit of using their device for corporate access against the business requirement for data security. For instance, a business could supply encryption software free of charge to the employee on the basis that they accept that the business retains the ability to remotely wipe the device if necessary. The organisation could then use NAC to allow authenticated and profiled devices onto the corporate network and unauthenticated devices only Internet access.”
Louise Taylor, Senior Associate at international law firm Taylor Wessing, adds: “Protecting data on mobile devices is not simply a matter of deploying appropriate security technology - although such technology is crucial. Businesses may also need to update their IT or other employee policies to clarify their data security practices regarding the use of mobile devices and the related employee obligations. Employees need to understand and buy into the importance of securing confidential and personal data in order to minimise the legal and other risks arising from data loss or security breaches.”
Taylor continues, saying: “If an employee is using a device for work, both the business and the employee have legal obligations to protect confidential information and personal data. These obligations apply regardless of whether the employee or the business owns the device.”