Data security is a top of mind concern for IT departments faced with the rise BYOD. More than ever, employees can access and store sensitive data on their personal mobile devices, making it vulnerable to becoming lost or stolen.
"BYOD is having an enormous impact on IT security. No matter the size of the company, from SMBs to large enterprises and highly regulated government entities, BYOD is affecting everyone, is here to stay and needs to be confronted head on," says Gary Gerber, senior product marketing manager at Imation Mobile Security. "The significant increase in the amount of business content stored or shared on employee owned devices is the main problem."
This concern is so big that 46 out of 50 states, as well as the U.S. Virgin Islands and Puerto Rico, have put some kind of data privacy breach notification laws and regulations in place. To help businesses keep track, Imation created a Compliance Heat Map
to illustrate the severity of data breach laws and the resulting by state.
Laws in Place for a Reason
There have been several recent cases where data security breaches were a result of lost or stolen mobile devices. For example, in June the Connecticut Attorney General reported that a stolen laptop at Hartford Hosptial resulted in a breach of data that affected approximately 9,000 patients. Another case was at the University of Texas M.D. Anderson Cancer Center, when a medical student trainee working for the facility lost an unencrypted portable hard drive while riding on an employee shuttle bus on July 13. The device contained information for 2,200 patients, including names and health data.
It is for this reason, according to Gerber, that many states are cracking down on breaches by issuing financial penalties whenever they occur.
"Non-compliance with data breach notification laws incurs financial penalties, and customers and constituents often react when an organization compromises their trust by not properly safeguarding their personal information," Gerber says.
Assumptions You Must Make
Gerber lays out five assumptions and actions necessary when considering how to prevent data security breaches.
Assume the worst.
Don’t hire a penetration tester. Save your money and assume "they" will get in. Data shows that 75% of organizations have suffered data loss from negligent or malicious insiders.
Assume employees will use their personal devices on the corporate network, even if they are told not to.
More than 50% of employees use portable devices to take confidential data out of their companies every day. Before you end up with a problem on your hands, use products to block the ones you’re not willing to have around, whitelist the ones you feel comfortable with, and where data is critical both encrypt it and audit its movement.
Assume that your employees value convenience more than security.
If a security policy is overly cumbersome or inconvenient, employees will find a way around it. Don't underestimate the ingenuity of employees looking to circumvent procedures that slow them down. Make the easy path the safe path. The last thing you want to do is prevent use of all personal devices; soon, users will find a workaround, like using phones to take pictures of documents to allow work at home. If you try to control too much, the initial problem slips through fingers and creates a much bigger problem.
Assume that flash drives will be lost and IT will never know.
Losing a $10 flash drive can be even worse than losing a laptop. Stolen or lost laptops are reported, but $10 flash drives are quietly replaced. According to the Ponemon Institute National Study of Data Loss Breaches in 2010
, missing devices cause 42% of security breaches. Use encrypted flash drives or don't use them at all. Right now, only 35% of companies enforce data encryption on company issued devices.
Assume that an organization's first and last defense against a security breach is its own employees.
Training employees on good security practices offers the most bang for the buck. According to the Ponemon Institute National Study of Data Loss Breaches in 2010, negligent employees cause 16% of security breaches. Everyone should learn how to recognize phishing attacks and fake anti-virus software advertisements – if it looks too good to be true, it really is. Often the most obvious ways to protect are the best ways. Everyone should have strong passwords on their devices that only they know. According to research done by SplashData
, the most popular password in 2011 was "password." That certainly is not a formidable protective shield for securing sensitive corporate data.