Preliminary findings released by PricewaterhouseCoopers (PwC) from the 2012 Information Security Breaches Survey (undertaken in conjunction with Infosecurity Europe and supported by the department for Business, Innovation and Skills) show that many companies are not doing enough, and some are doing nothing at all, to secure their mobile environment. The main finding, however, is the sheer extent to which business is adopting mobile computing and social networking: 75% of large organizations and 61% of small businesses allow staff to use smart phones and tablets to connect to their corporate systems. “These figures demonstrate,” PwC information security partner Chris Potter told Infosecurity, “that while people are just talking about other trends like cloud computing, they are actually doing something about mobile computing.”
But what the figures also show is that too many organizations are not taking the security threat sufficiently seriously – and it is the smaller companies that are most culpable. On the one hand, smaller companies are less likely to allow connection from staff mobile devices (39% of smaller companies and only 25% of larger companies don’t allow it). But on the other hand, as many as 34% of smaller companies (against only 13% of larger companies) take no security precautions at all. “That’s no security strategy, no policy, no training, no technical protection, no encryption, no device management,” explained Potter. And the reason? “I think t’s down to two things, said Potter. “Firstly, there’s a basic lack of understanding of some of the risks involved; and secondly, there’s an element of wishful thinking: if I haven’t been burnt, then I’m OK – maybe this security risk is all just hype.”
It isn’t hype. 82% of large organizations reported security breaches caused by staff, including 47% who lost or leaked confidential information. “Often,” said Potter, “breaches occur through ignorance rather than malice. Greater security awareness is vital but it is not being implemented. Possession of a security policy by itself does not prevent breaches; staff need to understand it and put it into practice.” Education, he said, leads to greater understanding leading to fewer breaches. “When you slice the data based on breaches, you find that organizations with a well-understood security policy suffer fewer breaches. There is a clear causal link between training and education, and the payback is fewer security breaches. Companies have lots of training needs - working security awareness into the overall programme of training rather than treating it as some other strange additional stuff you have to do is usually the most effective way of doing it.”
One problem is that mobile computing and social networking are still shiny new toys. For example, 52% of small businesses say social networking is important to their business. “What happens,” says Potter, “is that when people see a shiny new toy, they go off and use it – but it’s only when they actually experience a major security breech in their organization that they stop to make the necessary security changes.” Only 8% of companies monitor what their staff post on social networking sites. Companies are alert to the advantages of these new toys, but are not yet fully alert to the threats. This survey shows that many more companies, and particularly among the smaller companies, are going to get burnt unless they change their attitude.
“There’s no such thing as 100% security,” Potter told Infosecurity, “and there’s no such thing as 100% control. The really serious breaches are caused by people doing silly things, people exposing confidential data inadvertently onto a mobile device which is then lost. So you want to try to manage those risks. You have to make it hard for the criminal. If somebody gets hold of a lost device you make it hard for them to access any data on the device. Encryption by itself isn’t the answer - a combination of encryption, strong authentication, mobile device management including remote wiping gets you to a much better place.” And it all has to be underwritten by an effective and well-understood mobile computing and social networking security policy.