Without a strong policy, the end-user's mobile gadgets could attack the firm's soft underbelly, says Sean Glynn.
Mobile computing helps people work together effectively, but to do this, they need up-to-date information. Employees are no longer restricted to laptops and mobiles, but use the latest must-have gadgets to get in touch with the office.
One such development is the soaring popularity of netbooks. In 2009, despite the recession, netbook sales grew 100 per cent over 2008. However, their lack of an optical disk drive is fuelling increased usage of USB devices to transfer or even store data. While memory sticks are arguably still the weapon of choice, even devices whose main purpose isn't data storage, from iPods to digital cameras – anything with a digital memory, in fact – are being used to ‘secure' sensitive information.
While the economic benefits of this data migration are obvious, it also brings problems. Companies are increasingly deploying laptops and smartphones to their workforce as part of their critical business processes, so the data they contain can be kept confidential, but memory sticks are easy to lose and often the data is unencrypted.
A further complication presented by a lost or stolen mobile device is that, if not properly protected, they can provide an entry key to the soft underbelly of the corporate network. The weakest link in any corporate defence is the end-user, who typically bypasses password authentication for the device.
Another problem is automatic form completion, including passwords, to access online services, for example, a user's hotmail account. This often includes authentication to other systems, such as the organisation's VPN, where the corporate gems are left out for all to see and to filch. Unbelievably, it is common for users to keep a document, detailing logon details and passwords, in an unprotected file stored on the device.
Since 25 million UK child benefit records went missing in November 2007, more than 700 organisations across all sectors have reported security breaches to the Information Commissioner's Office (ICO). However, in only 231 cases was the data specifically targeted and stolen.
Organisations have long had an obligation to protect data, but there was little to motivate them to adopt a ‘customer data protection' mindset. This changed with the announcement that the information commissioner has finally been granted the power to issue fines of up to £500,000, as of this April, to anyone who knowingly or recklessly flouts any of the eight principles of the Data Protection Act.
The cost of UK data breaches is staggeringly high. Last year, the average breach cost £1.7 million; from April, this could exceed £2 million. The ICO does not want to stop there; if it gets its way, breaches of data protection law could one day be punishable with jail.
Security is a two-way process. Employer and employee are both playing for the same team – insecure data is bad news for all. The most effective strategy is to deploy sensible, workable policies with centrally controlled technology, in an atmosphere of trust and education.
This includes educating the workforce in the risks posed by their activities and the devices they use. Your security policy must dictate the management of all mobile devices, irrespective of ownership. Make sure that all staff sign the policy and that appropriate software is in place to enforce it.
It should never be left up to the end-user to make data secure – they don't have the time or the knowledge. Encryption software is now available that can protect data on virtually every endpoint.
Users of iPhones and other smartphones with internet access need to be made aware of the risks of opening attachments or clicking on links to malicious websites. They also need to ensure the device's firmware and browser are updated and patched with security upgrades.
Companies must protect their intellectual property. Employees can play their part by respecting the information they are working with and correctly using the devices they're accessing it with. It's for everyone's benefit.
Sean Glynn is vice president and chief marketing officer at Credant Technologies.