Half of all companies lose devices with important data

Half of companies have lost a portable computing device with important data on it that had security implications for more than 20% of organisations, asurvey has revealed.

Further, 57% of employees believe that bring-your-own-device (BYOD) practices put their personal data at risk as well, according to a survey by data governance software company Varonis.

Despite these concerns, the study also revealed 86% of employees use their personal devices for work at all hours of the day, with 44% admitting to doing so during meals.

Additionally, 20% of respondents consider themselves “borderline workaholic”, 15% take their devices on holiday and 7% claim their work and home lives are one.

But the study found the productivity drain is greater for companies that allow BYOD. Nearly a quarter of respondents said they spend more time than they care to admit doing things unrelated to work during work hours.

According to the findings, almost three-quarters of employees are now allowed to access company data from their personal devices.

This growing trend to work remotely is likely to have an impact on breaches and data leakages, as mobile devices continue to have major security implications, according to the research report.

The study found that implementing a BYOD policy did reduce security incidents, but only by 5%.

The most popular method to secure mobile devices is password protection (57%), followed by 35% who wipe devices remotely and 24% who use encryption.

“Being connected to work around the clock appears to be accepted as the ‘new normal’,” said David Gibson, vice-president of strategy at Varonis.

“While organisations are capturing the many benefits of BYOD – and the willingness of the workforce to embrace this style of working – companies must protect themselves,” he said.

Gibson said all companies that allow BYOD should:

  • Develop a BYOD policy that lets people know what is and is not allowed;
  • Make sure controls are appropriate to the risks– if the data is valuable, organisations need to control where it resides and who has access to it, need to be able to audit use and spot abuse;
  •  Monitor the effects of frequent interruptions and “always-on” habits to watch for signs of impaired productivity or health.

“Only by limiting the potential damage – both to organisations and employees – can organisations make the most of a trend that will continue to leap forward, whether businesses allow it to or not,” he said.

UK’s million missing laptops

The million mobile devices that have gone missing in the past year are a business data time bomb, according to Sony’s VAIO Digital Business report 2013.

The report, which polled IT leaders at 600 UK businesses, blames bring-your-own-device (BYOD) practices, poor security habits and a rebel workforce.

The findings show that one in four UK businesses have had a laptop lost or stolen in the past 12 months, but only 28% of those polled reported having anti-theft security features on their laptops as standard.

The research shows that businesses are failing to make use of existing security technologies to keep pace with rapidly changing working practices.

“Businesses should take advantage of this ready-and-waiting safety net, which can be easily implemented regardless of IT infrastructure,” the report said.

Data security was ranked as very important by 75% of respondents and loss of confidential company data was identified as the number one concern of nearly half of respondents.

Yet 90% admitted accessing company data from a personal device, regardless of corporate policy, and two-thirds of those surveyed admitted saving confidential business data on their laptops.

Some 46% of those polled said they would bypass company policy and bring in their own device if frustrated by their company-provided machine.

Further compounding this problem, 66% said they take their work laptop home with them every day, with most laptops lost or stolen on trains, followed by private homes and airports.

Some 42% of respondents said they were using their own laptop for work and, for 88% of business laptop users, it is the machine they use in the office as well as remotely.

The study showed that 82% are not changing their password on a monthly basis, 20% of respondents said they never change it and 17% only do so when prompted to.

Despite these trends, the report said businesses are not investing enough in securing their data, with nearly half spending less than £1,000 a year on laptop security and only 28% of business laptops being fitted with anti-theft security as standard, even though many security features require only simple activation.

The report said while 56% of those surveyed had remote back-up software and 42% had some form of data encryption, only 25% had remote lockdown and only 18% had location tracking enabled.

According to the report, what people look for in a business laptop is a clear reflection of the modern mobile approach to work.

The top feature for most users is long battery life, followed by rapid boot-up, weight and a good range of connectivity options.

The research found that even though people realise the importance of security, finger print security access was the least in-demand feature.

“This indicates that the issue isn’t awareness, but education on how to use the security features laptops already have,” the report said.

UK consumers want better personal data security

Banks top the list of organisations people trust least with their personal data, according to a survey of 2,000 UK consumers.

Mobile phone operators and retailers also fare badly, according to the study commissioned by collaboration and communication services firm Avaya and contact centre technology firm Sabio.

According to the report by research consultancy Davies Hickman Partners, six million consumers have stopped doing business with an organisation because of concerns about security.

The report suggests this could be redressed by improving the convenience and quality of the customer service experience in contact centres and using technology to reduce the potential for fraud.

The survey shows 46% of consumers suspect high-level security breaches at financial institutions. This figure is 40% for mobile phone companies and 37% for retailers.

The biggest security risk is seen to come from the contact centre, with 45% of respondents citing this as the starting point for fraud.

While consumers place the blame squarely at the door of UK business in general – and the contact centre in particular – they also show a high level of willingness to embrace new technology to tackle the problem.

They are reassured by the automation and anonymity provided by technology and regard humans as the weak security link.

Only 5% think that sharing card details with a human agent is secure. In contrast 81% would feel more comfortable entering a password on a keypad to confirm their identity when calling a contact centre and 51% said they would be happy to use voice biometrics for banking.

Despite recognising the need for security, currently consumers regard many checks as cumbersome and outdated and are frustrated by both the speed and quality of the customer service experience.

Some 55% expressed irritation with companies that do not have a fully integrated contact centre forcing them to repeat security information on a call.

According to the research report, fear of call centre fraud has stopped 18 million consumers from making purchases over the phone when interacting with a callcentre. Yet 51% say they are put off using a provider if there are too many passwords and security details needed.

“Consumers’ contradictory attitudes leave businesses stuck between a rock and a hard place. By focusing on the three ‘S’s – service, speed and security – brands can improve customer lifetime value, strengthen security and increase brand loyalty,” said Simon Culmer, managing director, UK, Avaya

He said consumer trust in technology is key, and should be used to reassure customers that their security concerns are being addressed while improving customer experience.

The research suggests that consumers are becoming increasingly security savvy, said Kenneth Hitchen, founding director of Sabio.

“Businesses need to build back confidence in traditional transactions methods, and customer service technology can help them achieve this, whether creating confidence in the secure nature of their own contact centre organisations or encouraging the merchants that depend on their transaction services to do the same,” he said.

BYOD poses serious risks to IT security

The always on, always connected, productivity-on-the-go trend of allowing smartphone and tablet toting employees to take their own devices to work (known as BYOD, or “bring your own device”) and to plug it into the company network is growing in popularity around the world.

 

A recent BYOD study conducted by smartphone manufacturer Samsung Electronics, in conjunction with IDG Research, revealed that 85% of global companies support the BYOD trend, while 70% of IT executives believe that a company that does not implement a BYOD policy will be at a competitive disadvantage.

While some companies readily admit that they allow their employees to practice BYOD since it is convenient and sometimes more cost effective than having to issue and pay for company devices, many information security managers also admit that companies ought to do more to understand the security implications behind the trend.

According to a worldwide survey conducted by analyst firm Frost & Sullivan and published in the 2013 Global Information Security Workforce Study, 78% of security professionals believe that BYOD pose a “somewhat” or “very significant” risk to companies.

These fears are not unfounded, says Lutz Blaeser, Managing Director of South African security software distributor Intact Security. “Last year, just over half of secure IT security networks in the UK alone reportedly had their security breached due to employees using personal devices in the workplace. While the BYOD trend in South Africa is still relatively low, with only an estimated 5% of local businesses adopting BYOD policies – it is bound to pick up pace, especially as more people adopt a more flexible way of working.”

But Blaeser admits that the popularity of BYOD is not driven merely by productivity. “Employees still like to access their personal messages and social networking while at work, and using their own devices at work allows them to access their personal apps and e-mail, whereas the company computers could have a block, prohibiting users from having access to, for example, social networking sites.”

Indeed, a global survey conducted by Fortinet reveals that many employees already consider using their own devices at work to be a “right” and not a “privilege” – especially among Asian respondents, with more than half (55%) saying that they regard it as their right.

This is going to cause huge headaches for IT departments. Blaeser, whose company Intact Security is responsible for distributing GData as well as other brand name security software to the South African market, predicts that hackers and other cyber criminals will exploit the BYOD trend to target companies and institutions, by launching attacks on employees’ private mobile devices to gain access to sensitive data on company networks.

He advises that the solution is not to ban BYOD, but to rather implement strong BYOD policies pertaining security. “The amount of malware and malicious apps developed specifically to attack tablets and smartphones will continue to increase throughout 2013,” Blaeser says. “Make rules that employers should activate passcode protection (whereby users have to enter a special code whenever they switch on their devices). Although many will argue that such codes are easy to crack, it is better than having nothing. Companies can also ensure that any sensitive business data is encrypted. Employees should change their passwords regularly, delete data that is no longer needed and also backup important data – not only business information, but those of personal importance too, such as family photographs and videos.”

Lastly, he says, companies can encourage users to install reliable security software on their devices that will help to fend off malware and continue to protect devices remotely in the event of loss or theft. “Everyone knows that Android-operated devices are vulnerable to attacks due to its wide uptake and popularity. Products such as GData’s MobileSecurity have been developed specifically to secure Android devices.”

IT News Africa

Nursing and Midwifery Council receives £150,000 penalty

The Information Commissioner’s Office has urged organisations to review their policies on how personal data is handled, after the Nursing and Midwifery Council was issued a £150,000 civil monetary penalty for breaching the Data Protection Act.

The council lost three DVDs related to a nurse’s misconduct hearing, which contained confidential personal information and evidence from two vulnerable children. An ICO investigation found the information was not encrypted.

David Smith, Deputy Commissioner and Director of Data Protection, said:

“It would be nice to think that data breaches of this type are rare, but we’re seeing incidents of personal data being mishandled again and again. While many organisations are aware of the need to keep sensitive paper records secure, they forget that personal data comes in many forms, including audio and video images, all of which must be adequately protected.

“I would urge organisations to take the time today to check their policy on how personal information is handled. Is the policy robust? Does it cover audio and video files containing personal information? And is it being followed in every case?

“If the answer to any of those questions is no, then the organisation risks a data breach that damages public trust and a possible weighty monetary penalty.”

The council had been couriering evidence relating to a ‘fitness to practise’ case to the hearing venue. When the packages were received the discs were not present, though the packages showed no signs of tampering. Following the security breach the council carried out extensive searches to find the DVDs, but they’ve never been recovered.

David Smith continued:

“The Nursing and Midwifery Council’s underlying failure to ensure these discs were encrypted placed sensitive personal information at unnecessary risk. No policy appeared to exist on how the discs should be handled, and so no thought was given as to whether they should be encrypted before being couriered. Had that simple step been taken, the information would have remained secure and we would not have had to issue this penalty.”