Half of large UK businesses allow the use of employee-owned devices in the workplace, despite 84 per cent agreeing that the use of such devices increases the risk of data leakage incidents.
A study of 200 IT decision makers from UK businesses with over 500 employees by Dimension Data, found that 51 per cent permit a ‘bring your own device' (BYOD) policy, yet 39 per cent do not enforce encryption on them.
Chris Jenkins, security solutions line of business manager at Dimension Data UK, said: “Even the businesses that don't allow user-owned devices at work are likely to have the same data security challenges as those that do, as employees are bringing their own gadgets to work anyway.
“Completely unmanaged mobile devices connecting to the corporate network are obviously a greater security risk than sanctioned, managed devices, so their growing presence at work makes this issue even more critical.”
Another survey by Check Point found that 75 per cent of UK organisations experienced data loss in the last year, compared with intellectual property (36 per cent), employee information (36 per cent) and consumer information (35 per cent).
Its survey of 450 IT administrators in the UK, found that the primary cause for data loss was from lost or stolen equipment (35 per cent), while network attacks accounted for a quarter, followed by Web 2.0 and file-sharing applications (22 per cent).
Oded Gonda, vice president of network security products at Check Point, said: “We understand that data security and compliance are often at the top of the CISO's list. However, if you look at the drivers for data loss, the majority of incidents are unintentional. In order to move data loss from detection to prevention, businesses should consider integrating more user awareness and establish the appropriate processes to gain more visibility and control of information assets.”
Jenkins said that solving the problem is a matter of balancing the employee benefit of using their device for corporate access against the business requirement for data security.
“For instance, a business could supply encryption software free of charge to the employee on the basis that they accept that the business retains the ability to remotely wipe the device if necessary. The organisation could then use network access control to allow authenticated and profiled devices onto the corporate network and unauthenticated devices only internet access,” he said.
Rob Ayoub, global program director of information security research at Frost & Sullivan, said: “Businesses need to go back to basics and deploy primary security measures such as encryption and up-to-date security policies. The good news is that basic security measures can be put to good effect, if deployed to meet current threats.
“However, they are only part of the solution: businesses will need to consider more advanced measures, such as port control and network access control to mitigate risks, including the accidental or malicious dissemination of data from devices while they are still in the possession of the employee.”