Mobile, Cloud Security: 10 Ways Organizations Are Vulnerable4:00 PM EST Thu. Jun. 27, 2013
Many companies are leaving themselves open to losing sensitive and confidential data because so few have policies to protect information kept on mobile phones and tablets, according Ponemon Institute's recent study, "The Risk of Regulated Data on Mobile Devices."
The analysis, sponsored by file-sharing solution provider WatchDox, found many companies were not taking the necessary steps to safeguard data -- including health reports, credit card details and customer accounts, among other private records. As a result, businesses risk costly mobile data breaches. Thousands of records have already been compromised because employers lacked adequate policies and tools, leaving them open to regulatory fines and lawsuits, according to Ponemon, whose message to channel partners and VARs was clear: They will need to offer security measures if they are to keep client records secure.
Here are the top 10 reasons for the insecurity as well as key recommendations.
An estimated 6,000 private records were lost or stolen in the past two years because a mobile device with personal data was lost or stolen, according to the report. Organizations represented in the research each acknowledged, on average, about five such incidents between 2011 and 2013. Nearly half said at least one of the breaches required the organization to notify regulatory authorities, and 39 percent required notification of victims. The cost can add up financially, in a loss of reputation and of customers, Ponemon Institute founder Larry Ponemon said. Companies are vulnerable to lawsuits for gross negligence and class action litigation. "So it's a big deal," Ponemon said.
Companies didn't predict the speed at which BYOD would be adopted. But the risk is real, and it's on the rise, as laptops, tablets, smartphones and flash drives become an increasingly common way for employees to access and use data in the workplace, according to IT professionals interviewed for the Ponemon analysis. Yet, fewer than half of IT professionals in charge of BYOD policies said their company understood the risk, and many said they were shut out of decisions that other staff may not fully be equipped to make when it comes to security. Three-quarters said it's difficult to stop employees from using insecure mobile devices to access regulated data such as account numbers, passwords, Social Security numbers, mobile phone numbers and payroll information. And nearly as many -- 72 percent -- said it's hard to tell when employees are doing so.
The greatest data-protection risks to regulated data exist on mobile devices and in the cloud. They hold enormous amounts of data. Even email attachments can contain large files with sensitive health records or passwords. Companies allow workers to use their own mobile devices to access and use regulated data even though the IT professionals in charge of mobile policies told Ponemon the greatest areas of risk to regulated data are mobile devices, cloud computing infrastructure and applications. Ponemon likened the lack of training about data security to handing the car keys to someone without a driver's license.
Regulated data on mobile devices and in the cloud is at risk, according to the institute, because organizations do not do or know the following:
* Know how much regulated data is on mobile devices used by employees or transferred to cloud-based file sharing applications;
* Prevent employees from accessing regulated data using unsecured mobile devices;
* Make mobile data protection a top priority;
* Take steps to monitor employees who access and use regulated data on mobile devices;
* Ensure employees are aware of the importance of protecting regulated data on mobile devices. Respondents also believe that most employees, at one time or another, have circumvented or disabled required security settings on their mobile device;
* Have the necessary oversight or governance practices in place.
BYOD can be an especially dangerous weapon. An otherwise innocuous email attachment or Excel file can contain many megabytes of critical information. Laptops offer some security features, but files on laptops are likely to be easy to access from a mobile phone, tablet or flash drive. Yet only 26 percent of respondents believed employees understood the importance of protecting regulated data on mobile devices. One consequence of this lack of awareness is that only 22 percent of respondents said employees do not circumvent or disable security features on mobile devices that contain regulated data. Despite the employee-created risk, 67 percent of organizations do not exercise special monitoring procedures of employees who access and use regulated data on mobile devices.
Collaborative cloud apps like Dropbox and Google Drive are common among workers. They move data back and forth but frequently don't clear files out when a project is done. Overall, there's a huge increase in the amount of data collected, used and kept because storage is cheap. But, manual policies and passwords top the list for security measures used by the companies in the survey to ensure mobile devices that have access to regulated data are safe. Technologies that specifically address mobile device security are rarely used, according to the survey. That's an opportunity for channel partners, Ponemon said. "It could be very lucrative."
In addition to not having the right practices and technologies in place, mobile devices were frequently deficient in security features. According to respondents, 41 percent of mobile devices with access to all data in the organization have adequate security features. An average of 48 percent of mobile devices with access to regulated data have adequate security features.
Many companies in the study were in the dark about the need to ensure that the use and access of regulated data on mobile devices is in compliance with data protection laws. Often they didn't even know with certainty if they were in compliance or not. And, many were uncertain or didn't know whether the laws applied to the safeguarding of regulated data on mobile devices.
For example, 67 percent of respondents said their organization must comply with U.S. privacy and data breach laws, but only 18 percent believed these laws specify the protection of regulated data on mobile devices. Such perceptions result in companies not being in compliance and facing potential fines and legal action, according to the study.
Companies are realizing that BYOD may have seemed like a gain because it was one less thing they had to pay for, but mobile device use has long-term consequences. Regulation hasn't kept pace either, but that's changing, Ponemon said. Fines and lawsuits are not far behind. As the opportunity for data insecurity increases, federal, state and local agencies such as the Federal Trade Commission and even Health and Human Services are starting to look at mobile devices and trying to come up with specific guidelines that match the pervasiveness and nature of technology, he said. The discussion is in the early stages, but they're realizing the policies have to change to meet with workplace and IT realities.
* Create awareness throughout the organization that regulated data on mobile devices should be just as protected and secured as other sensitive and confidential information.
* Make sure security policies include guidance on what employees should be doing to protect the regulated data on the mobile devices they use.
* Conduct a data inventory of sensitive and confidential information to understand what regulated data is on employees' mobile devices.
* Understand who is accessing regulated data through mobile devices and for what purposes in order to increase visibility of people and business processes.
* Consider data-centric protections for personally owned devices.
* Consider investing in technologies that specifically address the regulated data risk. These include mobile device management, mobile DRM and mobile application management.