This lack of a security policy has led to situation in which one in 10 organizations has had a data breach following the loss of a personal mobile device that had access to the network, according to a survey of 988 IT decision makers at large organizations by Courion, a provider of identity and access management products.
“Pretty much all organizations are allowing some type of remote access to their systems from mobile devices”, said Dave Fowler, senior vice president of products and marketing at Courion.
“If a personal device is lost, the question becomes, what can the company do to respond to that lost device to ensure that it is protected if there is company information on that device, or if that device has the ability to access their systems? What we found was that in lot of cases, the organization did not have a policy and therefore did not know how to respond when a device was lost”, Fowler told Infosecurity.
In addition, 57% of respondents were confident that they could control access to resources on their corporate network. That number dropped to 34% when asked about cloud access, and 40% when handling employee access via mobile devices and laptops.
“Companies feel good about protecting their assets inside their organization, but less so from outside their organizations, even though there are a growing number of people using mobile devices to access company assets from outside the organization”, Fowler said.
“Not all risks are created equal. What I have access to might not be the same as what other people have access to. Knowing the risks posed by the loss of a device by a certain individual helps the organization determine how quickly it needs to respond, how important it is to take action, and what action to take”, he added.
Asked how they would respond to a lost mobile device, 55% of respondents said they would wipe the device.
“From the company perspective, in order to be able to protect themselves they have to be able to take action to protect whatever company information is on that handheld”, Fowler noted. From a policy perspective, organizations should inform their employees that if they use personal devices to access corporate information and the device is lost, personal information along with corporate information will be wiped, he added.
Courion recommends that organizations implement and manage a comprehensive access strategy in order to define, assess, enforce, and verify that the right users have the right access to the right resources. Ensuring that employee and contractor identities are matched with the access rights they are given – regardless of device or location – is important to securing corporate data, the company said.