To boot, the report also found that many mobile devices were not secured to protect stored information, that the use of removable drives and other easily lost media was uncontrolled, that the US Department of Defense did not have ability to wipe devices that were lost or stolen, and that the DOD had no training or policies in place governing personal devices within the workplace.
The size of the potential issue is notable: the US Army has around 560,000 active staff and about the same number of Reserves and National Guard personnel. “This is where an effective data-centric security strategy enters the frame, as even in an organization the size of the US Army with its 1.12 million personnel, there is a need to ensure that all of the data remains protected and private anywhere it moves, anywhere it resides, and however it is used,” said Mark Bower, vice president of product management at Voltage Security, in a statement to Infosecurity.
Sophos Security pointed out that it’s not all bad news: The Army did implement a policy regarding geotagging,” realizing the risk that came with soldiers taking pictures that automatically had location information embedded in metadata.”
However, given the lack of management of the devices, “how would the military know for sure that the geotagging has been disabled?” Sophos added.
Voltage’s Bower went on to say that a lack of technology to both enforce the required security policies - as well as control what happens to the data, whether it is held in a local or cloud environment, or even across a mobile device - is almost certainly the reason why the US Army had more than 14,000 smartphones and tablet computers floating around outside of its direct security control.
“The US Army has come a long way since the days of `Full Metal Jacket’ – Stanley Kubrick’s seminal Vietnam war movie of 1987 – as today’s battles are fought with the aid of computers and other Theatre of War IT systems,” he said. “As a result, encrypting the data as it is used and moved across the army network, through the cloud and over mobile devices, assumes paramount importance,” Bower said.
“It is not exaggerating to say that the loss of data in today’s military could give the enemy an upper hand in a battlefield situation - as well as potentially resulting in unnecessary loss of lives. This takes the data protection aspect of security to a completely new level,” he added. "And let’s not forget, it just takes one email and attachment containing sensitive materials to fall into enemy hands to create a breach that’s difficult to contain - the stakes are high."
Voltage Security said the report outlines a classic example of what happens on the data security front in very large organizations in general.
“It is exactly the same in a large enterprise, as not only do you need security policies, but you need the technology in place to enforce those policies, and ensure the governance surrounding the data as it flows into, across and out of the organisation,” said Bower.
Last year, Sophos did an informal study and found that 42% of lost mobile devices aren't protected with any security measures. Of that number, 20% had access to business email, which could contain confidential information.