Preliminary findings released by PricewaterhouseCoopers (PwC) from the 2012 Information Security Breaches Survey (undertaken in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills) show that many companies are not doing enough, and some are doing nothing at all, to secure their mobile environment. The main finding, however, is the sheer extent to which business is adopting mobile computing and social networking: 75% of large organizations and 61% of small businesses allow staff to use smart phones and tablets to connect to their corporate systems. “These figures demonstrate,” PwC information security partner Chris Potter told Infosecurity, “that while people are just talking about other trends like cloud computing, they are actually doing something about mobile computing.”
But what the figures also show is that too many organizations are not taking the security threat sufficiently seriously – and it is the smaller companies that are most culpable. On the one hand, smaller companies are less likely to allow connection from staff mobile devices (39% of smaller companies and only 25% of larger companies don’t allow it). But on the other hand, as many as 34% of smaller companies (against only 13% of larger companies) take no security precautions at all. “That’s no security strategy, no policy, no training, no technical protection, no encryption, no device management,” explained Potter. And the reason? “I think t’s down to two things, said Potter. “Firstly, there’s a basic lack of understanding of some of the risks involved; and secondly, there’s an element of wishful thinking: if I haven’t been burnt, then I’m OK – maybe this security risk is all just hype.”
It isn’t hype. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information. “Often,” said Potter, “breaches occur through ignorance rather than malice. Greater security awareness is vital but it is not being implemented. Possession of a security policy by itself does not prevent breaches; staff need to understand it and put it into practice.” Education, he said, leads to greater understanding leading to fewer breaches. “When you slice the data based on breaches, you find that organizations with a well-understood security policy suffer fewer breaches. There is a clear causal link between training and education, and the payback is fewer security breaches. Companies have lots of training needs - working security awareness into the overall programme of training rather than treating it as some other strange additional stuff you have to do is usually the most effective way of doing it.”
One problem is that mobile computing and social networking are still shiny new toys. For example, 52% of small businesses say social networking is important to their business. “What happens,” says Potter, “is that when people see a shiny new toy, they go off and use it – but it’s only when they actually experience a major security breech in their organization that they stop to make the necessary security changes.” Only 8% of companies monitor what their staff post on social networking sites. Companies are alert to the advantages of these new toys, but are not yet fully alert to the threats. This survey shows that many more companies, and particularly among the smaller companies, are going to get burnt unless they change their attitude.
“There’s no such thing as 100% security,” Potter told Infosecurity, “and there’s no such thing as 100% control. The really serious breaches are caused by people doing silly things, people exposing confidential data inadvertently onto a mobile device which is then lost. So you want to try to manage those risks. You have to make it hard for the criminal. If somebody gets hold of a lost device you make it hard for them to access any data on the device. Encryption by itself isn’t the answer - a combination of encryption, strong authentication, mobile device management including remote wiping gets you to a much better place.” And it all has to be underwritten by an effective and well-understood mobile computing and social networking security policy.
Richard Rosen says:
18 April 2012
It's no wonder we're awash in breaches, informatively confirmed by the PwC survey and understanding provided by the commentary in this article.
My field is employee computer monitoring and data loss protection and this comment well reflects my experience: "...there’s an element of wishful thinking: if I haven’t been burnt, then I’m OK..."
It's after the horse has bolted from the barn with the prized colt in tow that we get the inquiry. What a pleasure when a company makes inquiry to proactively implement user activity monitoring along with remote wiping as a leg of its security strategy.
But it's human nature the way we learn, some benefiting from the experience of others (which my mother would always remind me of when I was didn't do so) and implementing preventative security and others waiting for a fall in the ditch before believing they have a problem, and then must claw their way out. Oh well...
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.