Employees who use personal devices for business are an increasing danger in the absence of effective monitoring and managing of information flows into and out of the organization, Kenney told Infosecurity.
A growing risk to organizations is the loss of confidential data on an employee’s personal smartphone or USB drive. According to an Ipswitch survey, 70% of IT professionals access company data through mobile devices on a weekly basis, and 41% rely on storage devices to back up business files every month.
“Something will happen with someone in a high place who loses their smartphone or USB drive. The ramifications are going to be a recognition of how much the government and organizations are not doing to secure information and teach people what has to be done with personal devices…when employees bring them into the organization”, he observed.
Kenney said that while employees use personal devices to be more productive at work, they can pose a data breach risk to the organization.
“Even though you have many employees running around with smartphones, many of their companies have not taken advantage of the enterprise tools available.” The loss of mobile devices by employees is a “ticking time bomb”, he warned.
Organizations need to be vigilant in classifying data and monitoring who has access to that data, and also to institute strong governance mechanisms. “Governance is 10% technology and 90% people”, Kenney stressed. “You have to bang it into employees heads that, ‘I know this is your personal phone but you are accessing corporate information, and if you lose that phone, you need to let us know so we can take proper procedures to protect that data’ ”, he said.
Kenney said that companies often do not do a good job of governing the organization’s information flow. “We tend to put in good governance mechanisms when it comes to applications, but we don’t do so when it comes to how we interact with the cloud, with personal email, with messaging, and with social networks”, he added.
“People remain an incredibly important part of the IT process of a company or institution. We spend a lot of time securing systems but we don’t spend enough time focusing on the things that people do every single day. This is where the biggest threat happens”, Kenney concluded.