RSS Alerts

Share

More services

Related Links

Related Stories

  • Comment: Mobile Security Shapes Up
    What are the options for data security managers as the network periphery expands? Steven Sprague of Wave Systems explores the possibilities
  • The Approaching Mobility Maelstrom
    Last year Drew Amorosi polled the Infosecurity editorial board on their predictions for 2011. This year he decided to broaden the sample and find out what the rest of the industry are talking about. What he received was an overdose of mobile security warnings
  • Attitudes and perceptions in mobile security
    January 28 is the US is Data Privacy Day (it’s also the European Data Protection Day). To mark the event, a new report on users’ attitudes toward and understanding of mobile security issues has been published.
  • Companies deploy desktop virtualization to improve mobile security
    More than half of companies surveyed said that they plan to deploy desktop virtualization products over the next two years because of security concerns about their mobile workforce.
  • Comment: Implement Comprehensive Mobile Security – Today
    Mobility and consumerization mean that the landscape of the corporate IT estate is changing in ways that are making new demands of security professionals. Dave Everitt of Absolute Software explains why a multi-tiered security strategy is essential to overcome increased threats

Top 5 Stories

News

PwC 2012 Information Security Breaches Survey: Preliminary findings report continued mobile insecurity

18 April 2012

New statistics show that while many companies appear to understand the business threat from BYOD, many others are taking no precautions whatsoever.

Preliminary findings released by PricewaterhouseCoopers (PwC) from the 2012 Information Security Breaches Survey (undertaken in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills) show that many companies are not doing enough, and some are doing nothing at all, to secure their mobile environment. The main finding, however, is the sheer extent to which business is adopting mobile computing and social networking: 75% of large organizations and 61% of small businesses allow staff to use smart phones and tablets to connect to their corporate systems. “These figures demonstrate,” PwC information security partner Chris Potter told Infosecurity, “that while people are just talking about other trends like cloud computing, they are actually doing something about mobile computing.”

But what the figures also show is that too many organizations are not taking the security threat sufficiently seriously – and it is the smaller companies that are most culpable. On the one hand, smaller companies are less likely to allow connection from staff mobile devices (39% of smaller companies and only 25% of larger companies don’t allow it). But on the other hand, as many as 34% of smaller companies (against only 13% of larger companies) take no security precautions at all. “That’s no security strategy, no policy, no training, no technical protection, no encryption, no device management,” explained Potter. And the reason? “I think t’s down to two things, said Potter. “Firstly, there’s a basic lack of understanding of some of the risks involved; and secondly, there’s an element of wishful thinking: if I haven’t been burnt, then I’m OK – maybe this security risk is all just hype.”

It isn’t hype. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information. “Often,” said Potter, “breaches occur through ignorance rather than malice. Greater security awareness is vital but it is not being implemented.  Possession of a security policy by itself does not prevent breaches; staff need to understand it and put it into practice.” Education, he said, leads to greater understanding leading to fewer breaches. “When you slice the data based on breaches, you find that organizations with a well-understood security policy suffer fewer breaches. There is a clear causal link between training and education, and the payback is fewer security breaches. Companies have lots of training needs - working security awareness into the overall programme of training rather than treating it as some other strange additional stuff you have to do is usually the most effective way of doing it.”

One problem is that mobile computing and social networking are still shiny new toys. For example, 52% of small businesses say social networking is important to their business. “What happens,” says Potter, “is that when people see a shiny new toy, they go off and use it – but it’s only when they actually experience a major security breech in their organization that they stop to make the necessary security changes.” Only 8% of companies monitor what their staff post on social networking sites. Companies are alert to the advantages of these new toys, but are not yet fully alert to the threats. This survey shows that many more companies, and particularly among the smaller companies, are going to get burnt unless they change their attitude. 

“There’s no such thing as 100% security,” Potter told Infosecurity, “and there’s no such thing as 100% control. The really serious breaches are caused by people doing silly things, people exposing confidential data inadvertently onto a mobile device which is then lost. So you want to try to manage those risks. You have to make it hard for the criminal. If somebody gets hold of a lost device you make it hard for them to access any data on the device. Encryption by itself isn’t the answer - a combination of encryption, strong authentication, mobile device management including remote wiping gets you to a much better place.” And it all has to be underwritten by an effective and well-understood mobile computing and social networking security policy.

This article is featured in:
Compliance and Policy  •  Encryption  •  Identity and Access Management  •  Internet and Network Security  •  Security Training and Education  •  Wireless and Mobile Security

 

Comments

Richard Rosen says:

18 April 2012
It's no wonder we're awash in breaches, informatively confirmed by the PwC survey and understanding provided by the commentary in this article.

My field is employee computer monitoring and data loss protection and this comment well reflects my experience: "...there’s an element of wishful thinking: if I haven’t been burnt, then I’m OK..."

It's after the horse has bolted from the barn with the prized colt in tow that we get the inquiry. What a pleasure when a company makes inquiry to proactively implement user activity monitoring along with remote wiping as a leg of its security strategy.

But it's human nature the way we learn, some benefiting from the experience of others (which my mother would always remind me of when I was didn't do so) and implementing preventative security and others waiting for a fall in the ditch before believing they have a problem, and then must claw their way out. Oh well...

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions | Privacy | Website Design| Reed Exhibitions. All rights reserved. Copyright © 2013
We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×