Bring Your Own Disaster as UK firms see rising mobile breaches
A study from BT reveals that almost half of UK firms (41 percent) suffered a mobile security breach over the last year, with another fifth reporting as many as four incidents in the same time-frame.
ICO sparks debate on BYOD security
The research reveals that UK businesses are still not taking sufficient security measures to protect themselves from mobile threats – such as lost and stolen devices or mobile malware infections - and this all comes despite the same study revealing that 95 percent of UK organisations now allow their employees to use a BYOD (Bring Your Own) or COPE (Corporately Owned Personally-Enabled) device.
Some of the findings on mobile security make for shocking reading; just over a third (35 percent) of IT decision makers said that they had a BYOD policy – which is seen by many as the first step in enterprise mobility management - while only 15 percent said that they felt confident they had sufficient resources to prevent a mobile security breach.
In addition, the report hinted at information security managers failing to reign in user-privileges with one in three (33 percent) saying that their mobile devices either had full access to the internal network or contained sensitive client information.
Mark Hughes, president of BT Security, said in a statement that the results are a sign that mobile security is still an afterthought in enterprises.
“Today's threat landscape shifts very quickly so it is important for organisations to start with security in mind, rather than add it as an afterthought. This will ensure that security processes develop with them, and not after them. This makes the task of being security-led much more straightforward.”
But Hughes and BT also pointed the finger at employees and board members, accusing them of ignoring security when it comes to mobile. The study indicated that 81 percent of staff do not take device security seriously but, hinting at C-level disinterest, a further 69 percent of UK IT decision makers believe that their CEO does not take security seriously.
“If CEOs are passionate about making security practices work, then they will inevitably become an intrinsic part of people's lives,” said Hughes. “Problems usually arise when people don't understand the risks and the impact that neglecting security could cause for the business, as well as for them personally. A security breach could cause a share price drop and reputational brand damage. This means that security is everyone's job.”
Mark Noctor, director of EMEA sales for Arxan Technologies, told SCMagazineUK.com that the findings were no great surprise.
“The latest findings from BT's report offer no real surprises when looking at the security risk that mobile continues to pose to organisations and it is possible that this risk will continue to rise unless businesses make - and more importantly, effectively implement - adequate provisions to protect their valuable data against these threats,” he said in an email.
“The attacks against the mobile platforms are being launched at three distinct layers: the network, the device itself and, crucially, the applications. Whilst some organisations may have device and network defences in place, one area that is commonly not addressed by these traditional perimeter defence technologies is that of protecting against application hack attacks such as reverse-engineering and tampering."
He added: “For example, device security may provide anti-virus capabilities, remote wipe, device or user authentication. However, these can be easily circumvented or altered via malware or unauthorised code modification. This means that mobile applications really reside on mobile devices that are untrusted environments.”
This study was carried out by Vanson Bourne in September and October 2014 on behalf of BT. A total of 640 interviews with IT decision makers from large-size organisations (1,000 employees or more) were carried out across 11 regions (including US, UK, France and Germany) and various sectors.
(SC Magazine UK is running a Mobile Security eConference on 25th November 2014. To attend for free please click here)