Mobile working is putting corporate data at risk

There are no exceptions when it comes to organisations at risk of a data breach, some are simply further up the target list than others, including telecommunications companies such as TalkTalk and Three who have both suffered as a result of compromised data.

Customer data is at the heart of each and every telecoms operation as they typically store a trove of very detailed personally identifiable information (PII) that is of high value to adversaries. Telecommunications businesses detected an average of 8,536 incidents in 2016 when assessing information security compromises, according to PwC’s ‘Toward new possibilities in threat management’ report. Within the telecom industry, current employees were the top source of compromises in 2016.

Unfortunately, the risks posed by employees are a constant challenge to all businesses, and as data continues to exist more and more beyond the confines of the corporate network, the threat of a data breach will likely only increase. A recent survey conducted by Apricorn and Vanson Bourne highlighted that almost half (48%) of the surveyed companies say employees are one of their biggest security risks, says Jon Fielding, managing director, EMEA Apricorn.

The findings also showed that mobile working is a major problem as companies are still uncertain how to enforce adequate security policies, and many have no viable strategies in place.

The risks of mobile working

Employee error or mishandling of sensitive data is a genuine threat. When new flexible working regulations came into force in June 2014, businesses were not only tasked with managing the allowance of flexible working practices, but also faced the challenges of providing the necessary tools and training to enable them to do so securely.

With so many outlets for data including personal storage devices, such as USB memory sticks, smart phones, and tablets, the potential to remove or copy sensitive information outside of the corporate network has become a growing risk.

According to analysis published by the TUC in May 2016, the number of employees who say they usually work from home has increased by a fifth over the past 10 years, with nearly a quarter of a million more people working from home than a decade ago. Consider then, the number of devices being used outside the corporate network and the additional responsibility of managing the use, access and storage of sensitive business data.

Worryingly, fifty-three per cent of Apricorn surveyed respondents said that managing all of the technology that employees need and use for mobile working is too complex, while 35% complain that technology for secure mobile working is too expensive.

Policy and compliance

The survey also found that one in ten companies with over 3,000 employees do not have a security strategy that covers remote working and BYOD. When asked about the greatest security risk to their organisation in 2017, more than a third of those surveyed said BYOD and mobile working were among the biggest liabilities.

It is clear that while many organisations recognise the security problems associated with mobile working, sometimes it’s down to a lack of adequate training or not providing the right tools. Businesses must be poised to further improve security capabilities by preparing for shifting business models and enhanced data-privacy needs such as the introduction of the European General Data Protection Regulation (GDPR) due to come into force in 2018.

Over half (57%) of the surveyed respondents agreed that while their mobile workers are willing to comply with security measures, they don’t have the necessary skills or technology to keep data safe. The GDPR is set to harmonise procedures across the continent and aims to enforce responsible management of data, in terms of movement and processing, while safeguarding how it is shared, stored and retrieved.

Worryingly, roughly a quarter (23%) of surveyed organisations admitted that they have no way of enforcing relevant security strategies they have in place, which is almost as risky as having no policy whatsoever.

It is no surprise that organisations are failing to secure their data and put the necessary policies in place to protect sensitive information being accessed remotely. With new obligations such as data anonymisation, breach notification, and trans-border data transfers, the GDPR will require companies handling EU citizens’ data to undertake major operational reform.

Under the new regulation, organisations will need to demonstrate compliance or otherwise be prepared to face action for breaching the law, even before an incident occurs.

The author of this blog is Jon Fielding, managing director, EMEA Apricorn

Comment on this article below or via Twitter: @ VanillaPlus OR @jcvplus