Supposedly Secure Data Goes Unprotected
Mobile data is an enormous pain point for enterprise businesses, and one of the biggest reasons is obviously security. The fact so much data is unaccounted for, let alone unsecured, is the surprising part of a recent WatchDox sponsored Ponemon Institute survey.
About 800 IT professionals were surveyed, and 73% had weak controls in place for their mobile security protocols on top of the 80% who didn't know how much data was already in the cloud or on mobile devices. The survey focused on so called regulated data, the kind that organizations must keep secure as ordered by law.
It's easy to think what kind of data this might entail. Things like financial details, protected health information and personally identifiable information being the most obvious. The Risk of Regulated Data on Mobile Devices in the Cloud report was commissioned by WatchDox to see just how secure supposedly protected information really is.
The biggest security risks, besides the above examples, were:
- Organizations don't take the risk of having regulated data on mobile devices seriously
- As a result of this condition, organizations don't make it a top priority
- Employees carrying around this data aren't monitored
- Workers aren't trained on the importance of protecting regulated data on mobile devices
- There's often no oversight or governance in place
In a sort of bizarre bit of cognitive dissonance, 69% of those surveyed said they viewed mobile devices as the top threat to regulated data, but 59% said they allowed employees to use their own mobile devices. This is also known as the bring your own device phenomenon, a related issue that is also quite painful in the enterprise. Perhaps if more people were surveyed, and if fewer companies allowed people to use their own devices, the data would look much different.
As it stands, even among those who said they did know how much data was out there on mobile devices or in the cloud, almost half didn't actually know what methods were used to measure those amounts.
Barriers to protection of regulated data on mobile phones.
Perceptions of Risk + BYOD
Risks associated with data use on mobile devices and in the cloud seemed to be fairly well understood by respondents, as 78% said they agreed or strongly agreed that risk was on the rise. However, less than half said they agreed that the risk of having regulated data on mobile devices is understood by their organization.
Furthermore, only 34% said their organization made protecting regulated data a top security priority. That number seems low, of course, especially considering an average of 50% of employees use their mobile device to access regulated data. Not only are workers bringing their devices to work, they are occasionally or frequently turning off the security features, according to almost 60% of respondents.
One result of all of this lax security is the fact many organizations can't even claim they are in fact in compliance with the laws in place to protect their data. 67% of respondents said their organization had to comply with US state privacy and data breach laws, but only 18% said they believed those laws applied specifically to mobile devices, for example.
Ponemon Institute recommends organizations create awareness about regulated data on mobile devices to the effect that it be treated just like any other sensitive information. An inventory of protected data should be taken so the risks are more known, and organizations should consider using technology like mobile device management, mobile DRM and mobile application management to specifically address data risk.