Tag Archives: Remote data delete

Half of all companies lose devices with important data

Posted on by

Half of companies have lost a portable computing device with important data on it that had security implications for more than 20% of organisations, a survey has revealed.

Further, 57% of employees believe that bring-your-own-device (BYOD) practices put their personal data at risk as well, according to a survey by data governance software company Varonis.

Despite these concerns, the study also revealed 86% of employees use their personal devices for work at all hours of the day, with 44% admitting to doing so during meals.

Additionally, 20% of respondents consider themselves “borderline workaholic”, 15% take their devices on holiday and 7% claim their work and home lives are one.

But the study found the productivity drain is greater for companies that allow BYOD. Nearly a quarter of respondents said they spend more time than they care to admit doing things unrelated to work during work hours.

According to the findings, almost three-quarters of employees are now allowed to access company data from their personal devices.

This growing trend to work remotely is likely to have an impact on breaches and data leakages, as mobile devices continue to have major security implications, according to the research report.

The study found that implementing a BYOD policy did reduce security incidents, but only by 5%.

The most popular method to secure mobile devices is password protection (57%), followed by 35% who wipe devices remotely and 24% who use encryption.

“Being connected to work around the clock appears to be accepted as the ‘new normal’,” said David Gibson, vice-president of strategy at Varonis.

“While organisations are capturing the many benefits of BYOD – and the willingness of the workforce to embrace this style of working – companies must protect themselves,” he said.

Gibson said all companies that allow BYOD should:

  • Develop a BYOD policy that lets people know what is and is not allowed;
  • Make sure controls are appropriate to the risks– if the data is valuable, organisations need to control where it resides and who has access to it, need to be able to audit use and spot abuse;
  •  Monitor the effects of frequent interruptions and “always-on” habits to watch for signs of impaired productivity or health.

“Only by limiting the potential damage – both to organisations and employees – can organisations make the most of a trend that will continue to leap forward, whether businesses allow it to or not,” he said.

UK’s million missing laptops

Posted on by

The million mobile devices that have gone missing in the past year are a business data time bomb, according to Sony’s VAIO Digital Business report 2013.

The report, which polled IT leaders at 600 UK businesses, blames bring-your-own-device (BYOD) practices, poor security habits and a rebel workforce.

The findings show that one in four UK businesses have had a laptop lost or stolen in the past 12 months, but only 28% of those polled reported having anti-theft security features on their laptops as standard.

The research shows that businesses are failing to make use of existing security technologies to keep pace with rapidly changing working practices.

“Businesses should take advantage of this ready-and-waiting safety net, which can be easily implemented regardless of IT infrastructure,” the report said.

Data security was ranked as very important by 75% of respondents and loss of confidential company data was identified as the number one concern of nearly half of respondents.

Yet 90% admitted accessing company data from a personal device, regardless of corporate policy, and two-thirds of those surveyed admitted saving confidential business data on their laptops.

Some 46% of those polled said they would bypass company policy and bring in their own device if frustrated by their company-provided machine.

Further compounding this problem, 66% said they take their work laptop home with them every day, with most laptops lost or stolen on trains, followed by private homes and airports.

Some 42% of respondents said they were using their own laptop for work and, for 88% of business laptop users, it is the machine they use in the office as well as remotely.

The study showed that 82% are not changing their password on a monthly basis, 20% of respondents said they never change it and 17% only do so when prompted to.

Despite these trends, the report said businesses are not investing enough in securing their data, with nearly half spending less than £1,000 a year on laptop security and only 28% of business laptops being fitted with anti-theft security as standard, even though many security features require only simple activation.

The report said while 56% of those surveyed had remote back-up software and 42% had some form of data encryption, only 25% had remote lockdown and only 18% had location tracking enabled.

According to the report, what people look for in a business laptop is a clear reflection of the modern mobile approach to work.

The top feature for most users is long battery life, followed by rapid boot-up, weight and a good range of connectivity options.

The research found that even though people realise the importance of security, finger print security access was the least in-demand feature.

“This indicates that the issue isn’t awareness, but education on how to use the security features laptops already have,” the report said.

BYOD poses serious risks to IT security

Posted on by

 

The always on, always connected, productivity-on-the-go trend of allowing smartphone and tablet toting employees to take their own devices to work (known as BYOD, or “bring your own device”) and to plug it into the company network is growing in popularity around the world.

 

A recent BYOD study conducted by smartphone manufacturer Samsung Electronics, in conjunction with IDG Research, revealed that 85% of global companies support the BYOD trend, while 70% of IT executives believe that a company that does not implement a BYOD policy will be at a competitive disadvantage.

While some companies readily admit that they allow their employees to practice BYOD since it is convenient and sometimes more cost effective than having to issue and pay for company devices, many information security managers also admit that companies ought to do more to understand the security implications behind the trend.

According to a worldwide survey conducted by analyst firm Frost & Sullivan and published in the 2013 Global Information Security Workforce Study, 78% of security professionals believe that BYOD pose a “somewhat” or “very significant” risk to companies.

These fears are not unfounded, says Lutz Blaeser, Managing Director of South African security software distributor Intact Security. “Last year, just over half of secure IT security networks in the UK alone reportedly had their security breached due to employees using personal devices in the workplace. While the BYOD trend in South Africa is still relatively low, with only an estimated 5% of local businesses adopting BYOD policies – it is bound to pick up pace, especially as more people adopt a more flexible way of working.”

But Blaeser admits that the popularity of BYOD is not driven merely by productivity. “Employees still like to access their personal messages and social networking while at work, and using their own devices at work allows them to access their personal apps and e-mail, whereas the company computers could have a block, prohibiting users from having access to, for example, social networking sites.”

Indeed, a global survey conducted by Fortinet reveals that many employees already consider using their own devices at work to be a “right” and not a “privilege” – especially among Asian respondents, with more than half (55%) saying that they regard it as their right.

This is going to cause huge headaches for IT departments. Blaeser, whose company Intact Security is responsible for distributing GData as well as other brand name security software to the South African market, predicts that hackers and other cyber criminals will exploit the BYOD trend to target companies and institutions, by launching attacks on employees’ private mobile devices to gain access to sensitive data on company networks.

He advises that the solution is not to ban BYOD, but to rather implement strong BYOD policies pertaining security. “The amount of malware and malicious apps developed specifically to attack tablets and smartphones will continue to increase throughout 2013,” Blaeser says. “Make rules that employers should activate passcode protection (whereby users have to enter a special code whenever they switch on their devices). Although many will argue that such codes are easy to crack, it is better than having nothing. Companies can also ensure that any sensitive business data is encrypted. Employees should change their passwords regularly, delete data that is no longer needed and also backup important data – not only business information, but those of personal importance too, such as family photographs and videos.”

Lastly, he says, companies can encourage users to install reliable security software on their devices that will help to fend off malware and continue to protect devices remotely in the event of loss or theft. “Everyone knows that Android-operated devices are vulnerable to attacks due to its wide uptake and popularity. Products such as GData’s MobileSecurity have been developed specifically to secure Android devices.”

IT News Africa, Africa's Technology News Leader

 

A long recovery road after a data breach

Posted on by

Small to medium-sized businesses face a long recovery road after a data breach

Understanding why data breach preparedness is a priority is key. According to the latest Ponemon Institute Study, State of SMB Cyber Security Readiness: US Study, the road to recovery is long and hard for small to medium-sized businesses (SMBs) after a data breach.
 Not only did the SMBs lose customers, costs to acquire new customers went up significantly, some organizations had to lay off employees and it took almost a year to recover from the damage to their business reputation.  The purpose of the study was to understand the ability of SMBs to prepare their companies for a possible cyber security threat or data breach.

The study examined the differences in perceptions about the consequences of a data security breach between those companies that experienced a breach and those that have not.  The average cost of a data breach was almost $900K, which is almost three times more than what unaffected companies estimated.  This lack of awareness about the costs and consequences of a data breach can negatively affect an SMB’s ability to be prepared for a cyber security attack.  Although participants stated that the priority for their IT security spending was to meet compliance requirements and implement a data breach response plan, the reality is most companies didn’t have policies in place to deal with a breach of data.  In addition, respondents expressed that their biggest frustration in implementing a data security plan was dealing with employee negligence and felt it was unrealistic to expect an organization of their size to be totally secure from a cyber attack. In response, The Ponemon Institute has the following recommendations to improve the current state of cyber readiness for SMBs:

  1. Like bigger sized organizations, make it a priority to implement formal data protection and security programs to detect cyber security risks.
  2. Conduct risk assessments and monitoring to identify data breach risks. Establish security objectives and set actionable metrics to be able to measure that your company is meeting security goals.
  3. Ensure that employees’ mobile devices are properly protected with anti-virus/anti-malware protections and encryption technologies.  Identify your sensitive and confidential information that needs security and protection at all times.
  4. Educate workers through training and awareness programs on the importance of following proper security procedures.  Make the business case for investing in cyber security.

As with many things, it’s not the size that counts, it’s the content that is important.  And no matter how large or small the business, the importance of protecting that content should always be the first priority in every company’s cyber security plan.

Original article from Experian 22nd Feb 2013

UK Biggest Data Loss Disasters of 2012

Posted on by

The UK’s Biggest Data Loss Disasters of 2012
With the growth in the use of personal devices for work, it is no surprise that data loss increased in 2012. In fact, it is astounding to think that UK data loss in general has risen by an estimated 1,000 per cent in just under five years.

Here, we take a look back at some of the biggest data losses the UK faced in 2012.

NHS trust loses personal data of 600 maternity patients, and kids On at least two separate occasions in 2012, the NHS was forced to admit losing two unencrypted USB sticks containing highly sensitive personal patient data. In the first instance, the device in question contained data relating to around 600 maternity patients. A second USB stick containing the names and dates of birth of 30 children and full audiology reports of a further three was also lost. This caused great embarrassment to the NHS, and distress to the patients whose confidential information was compromised.

Lost data blunders costing  councils £1.9 million A series of blunders by various UK councils led to them being fined heavily for serious data breaches, including the disclosure of highly sensitive, personal information. The fines totalled an astonishing £1.9 million. The mistakes included information being sent to the wrong people, while one individual even left hard copies of highly confidential documents on the train.

Shopacheck loses data on 1.4 million customers In terms of the number of customers affected by any single data loss incident, Shopacheck experienced the biggest loss in 2012. The loan firm managed to lose sensitive financial information pertaining to 1.4 million of its customers after two back-up tapes went missing. The tapes contained highly confidential information including customer names, addresses, dates of birth, telephone numbers and email addresses.

Police force pays £120,000 penalty for data breach Greater Manchester Police was fined £120,000 after a memory stick, which had no password protection, was stolen from an officer’s home. This caused a serious breach of data security, not least because the device contained information about members of the public who had given statements as part of drug investigations. It also contained details of police operations, potential arrest targets and the names of officers.

USB stick with nuclear plant data lost by ONR official While on a business trip to India an Office for Nuclear Regulation (ONR) official lost an unencrypted USB memory stick containing data relating to one of the UK’s nuclear power stations in Hartlepool. What made it worse for this blundering individual was the ONR confirming that unencrypted USB sticks should not be used for transporting documents with a security classification. It seems this official should have thought a little more about effective ways to protect his organisation’s sensitive data.

As these examples demonstrate, data loss can largely be attributed to human error and ineffective backup and security solutions. Once again, we are reminded of the importance of implementing effective data protection policies. Many of these disasters could have been mitigated with the use of a solution such as EVault’s Endpoint Protection for mobile devices (laptops and tablets), or by using the cloud, to backup sensitive company data.
Let’s hope that businesses realise this in 2013!

Original article by By Jean-Jacques Maleval, Mon, January 21st, 2013

51% of UK networks compromised by BYOD

Posted on by

Half of UK business networks have already been compromised by the bring-your-own device (BYOD) phenomenon of workers using personal devices for work-related activities and for attaching to corporate networks.

That’s the assessment of new research from Virgin Media Business, which found that in 2012, a full 51% of the UK’s secure IT networks were breached due to employees using personal devices.

In surveying 500 British CIOs, Virgin Media Business found that smaller businesses experienced 25% fewer breaches of security compared to larger organizations.

“Last year was clearly a bumpy road for companies introducing personal devices at work,” said Tony Grace, COO at Virgin Media Business. “That’s natural enough as no one has so far been able to come up with the magic solution. CIOs shouldn’t see this as a burden and in 2013 they can take the lessons learned and turn these personal devices into business enablers to really help drive the bottom line.”

In 2012 the consumerization of IT and BYOD have gone from being buzzwords and theories, to being everyday matters and issues for CIOs. “Security, connectivity and user policies are the three key factors needed to embrace new technology successfully, but this isn’t anything new,” the research found. “With just 20% of big businesses allowing staff to use their own kit in the office, there needs to be a shift in mindset.”

The issue will only grow larger: Virgin Media noted that a tablet was sold every second in the run up to Christmas, up 112% from last year, meaning January is likely to see a clear influx of the devices in the workplace, driving a need for clear policies on BYOD.

“With sales of tablets expected to have gone through the roof over Christmas, it looks like personal devices in the workplace is here to stay,” said Grace. “But with just a fifth of large firms having a BYOD policy, businesses will continue to experience security breaches until connectivity, security and user policies are put in place.”

Security Guardian was designed to make BYOD work at minimal cost.

This article is featured in: Compliance and Policy  •  Industry News  •  Internet and Network Security  •  Malware and Hardware Security  •  Wireless and Mobile Security

 

Bring your own device, but who owns your data?

Posted on by

By  Domingo Guerra.
Call it consumerization or call it BYOD, but whether we like it or not,  employee-owned devices have made their way into the workplace.

 

In fact, Gartner  predicts that 90 percent of companies will support corporate apps on personal  mobile devices by 2014.

But with this new technology wave comes a string of questions up for debate:  Who’s responsible for security? Who really owns the data on the devices? And as  mobile device management (MDM) becomes commonplace in the enterprise, should IT  be allowed to remotely wipe data if an employee’s phone is lost or stolen?

Perhaps the real question should be, why wouldn’t we want the data wiped?

Today’s mobile devices are extremely personal and intimate, knowing us better  than we know ourselves. Each device holds the keys to our most important  personal information. They have our exact location at any given moment, our  private contacts, personal and work addresses, schedules, financial information,  personal/private photos, family information, all stored on these easy-to-lose  devices.

Yet a disconnect remains: When we lose our wallets or purses, we immediately  cancel our credit cards and change our locks at home. Why would we treat a lost  device — with so many private details and insights into our lives — any  differently?

Some argue that holding out hope for the phone to be returned makes a full  wipe of the device seem too harsh and too permanent of an action.

Of course, the burden is on the consumer for regular backup, particularly  when most personal devices contain as much critical data as computers.  Regardless, research by Symantec (PDF) shows that there is, at best, a  50 percent chance of recovering a lost device (and likely drops closer to zero  percent for a stolen device).

Furthermore, there’s an 80 percent chance that an attempt will be made to  breach corporate data and/or networks regardless of whether or not whoever found  the device intends to return it.

But even if users and IT agree that remote wiping is the safest action to  take in this case, do organizations even have the right to remotely wipe data on  employee-owned devices?

The short answer is that it depends. From a legal standpoint, it is usually  determined by where the organization and employees are located. In Germany, for  example, it is illegal for companies to wipe personal data from an  employee-owned device. These companies only have the limited right to delete  enterprise data from personal owned devices, so many opt for mobile management  solutions that allow them to do that.

In the U.S., laws on this are more lax (or even non-existent). Most  U.S.-based companies have employees sign Employee Agreements or Acceptable Use  Policies over what IT can or cannot do with their computing devices. In  most cases, we’ve already given IT permission to do pretty much anything with  our devices if we — even minimally — use them for work.

The truth is, there is a lot of shared risk between employees and employers,  so arguing over who should delete the lost device’s data is the wrong argument.  With most security matters, a pre-emptive approach is best. In this case, close  collaboration and understanding of what actions to take in the worst-case  scenario.

Here are some suggestions:

Open the lines of communication: Employees need to know the risks  they face on a personal level, as well as the risks the organization faces.

Create a plan: Don’t wait until a device is lost or stolen before  figuring out the right course of action.

Have the right tools and technologies in place. There is a plethora  of both personal and commercial options for automatic backup, remote wipe,  security, and management of devices. With the amount of sensitive data we carry  on our devices every day, there really is no excuse to be caught off guard.

Speaking of tools and technologies, it’s an exciting time to be in the mobile  workplace. Employees’ and IT departments’ tech savoir faire is evolving at an  unprecedented rate as groundbreaking technologies, devices, and apps make their  way into the workplace.

Whether it is traditional MDM, Mobile App Management (MAM), Mobile Risk  Management (MRM), virtualization, containerization, app wrapping, consumer or  enterprise solutions, or a combination of these, there are a lot of innovative  solutions out there. Now is the right time to figure out the best approach for  your company’s mobile management and security strategy.

In the new enterprise mobile world, who owns security, data, and the  responsibility of keeping our privacy, security, and sensitive information safe?  In this case, I’d argue we are all on the same team.

Just as the new mobile world is about connectivity and hyper productivity, it  is also a world of partnerships and trust. After all, when you use your device  for personal and work purposes, it’s not your data or my data. It’s our data  that is at risk.

Domingo Guerra is the president and co-founder of Appthority, a company focused on mobile security in the  enterprise.

Read more at http://venturebeat.com/2012/11/17/byod-data-wipe/#mCK4VX1kijOPGf7H.99

117 laptops left on the UK rail network

Posted on by

During the first two weeks in November 117 laptops have been found on the UK Rail network. Of these
43 had their passwords inside the carry case or stuck to the keyboard
4 were in standby mode with no password at all.
11 iPads had no password.

What is on the 5000+ mobile phones London Transport recovers every month?

One can only wonder what information was available on these technological wonders. Email, contact details, personal photographs.  Who knows what sensitive corporate or government information? Part of the problem lies in the complex passwords that many IT systems dish out. Ten digits upper and lower case with at least one numeral and one special character! Certainly it is difficult for a hacker to guess, conversely it is impossible for a human to remember.

BYOD has a lot to answer for.  Bring Your Own Disaster seems more appropriate.
Security Guardian overcomes many of these problems and allows remote data delete even when not connected to a laptop.