More smartphones and tablets are connecting to the corporate network, BYOD is growing faster than previously thought, data on devices is a concern and mobile incidents are expensive. That’s the takeaway from “The Impact of Mobile Devices on Information Security,” a report commissioned by Check Point Software Technologies Ltd.
Results show that 96% of companies have more personal devices connecting to the network, year over year. In fact, 45% have more than five times as many personal mobile devices as they had two years ago. Here is what’s alarming: 79% had a mobile security incident in 2012. (Incidents include lost devices, malware attacks and data loss.)
“The problem of multiple devices connecting to the corporate network is not linear, it’s skyrocketing,” said Scott Emo, mobile security expert, Check Point. He believes that incidents are probably much higher, but are simply not known, which is even worse.
A 25-year industry veteran, Emo had positions at HP, Symantec and McAfee before joining Check Point in 2010, a career that has “seen it all” and is rarely surprised by developments in the enterprise. “Technology moves at the speed of sound,” he said, adding, “but hackers are also increasing their game.”
Mobile incidents have a ripple effect. Add up the price of fines, legal fees, staff salaries and the result is staggering. Throw in private lawsuits or court orders to pay for credit monitoring and the risk is exponential —52% of large companies say the cost of mobile security incidents last year exceeded $500,000. Forty five percent of businesses with less than 1,000 employees reported costs exceeded $100,000.
A larger company might be able to absorb these amounts, but it could mean the end for a smaller business.
Out of all the operating systems, Android was cited by 49% of businesses as the platform with greatest perceived security risk.
Lehigh Valley Health Network, a large healthcare provider in Pennsylvania, does not allow the OS. “For all intents and purposes in our view, Android was too hard to secure and too easy to root,” said Jim Shellhamer, IT Analyst and Mobile Device Administrator. The organization, which has more than 10,000 employees, methodically reviewed the pros and cons of the OS and determined its risk was not worth the investment.
Data leaks can affect any industry, whether through the company itself, its employees or public perception. But, for regulated industries like Lehigh, it’s even more profound. Shellhamer noted that there is an entire gamut of governmental fines to contend with should information leak. And when violations are publicized, the organization’s reputation is destroyed.
In addition, any breach has repercussions for the patients. “It’s an individual’s life,” Shellhamer said. “We are responsible for their care, their well-being, which could only be affected negatively if their private information was leaked.”
Once data is missing, it’s not a question of returning it to its source. It becomes an issue of minimizing the damage. However, many companies are not heading off the problem and are blatantly exposed. According to the report, 63% do not manage corporate data on devices. This includes not just contact info and calendars, but customer data, confidential notes and network login credentials. How can we get enterprises to take the issue more seriously?
“It boils down to a cost benefit analysis,” Shellhamer said. Any enterprise should ask two questions: If we implement an MDM solution, with license fees, what is total cost of ownership over the next five years? What will a data breach cost us?
Make the comparison. For a company with 50 employees or less, the benefit they may get from MDM is increased connectivity, and of course the security features if a device is lost. The larger organization, when looking at the math, may realize the financial savings is much greater because the security risk increases with every connected employee.
Each organization will of course, make a decision based on their needs. The problem is, the organization has to be aware, and make that decision in the first place. “Some people realize that wearing a seatbelt is just common sense. Some people, unfortunately, have to learn by having that accident. You can either prepare for it, or take your chances,” Shellhamer said.