iPhone, iPad, Android, Blackberry – technology brands that have become part of our everyday social lives with remarkable speed – and our working lives too. But do you really appreciate the risks of using a mobile device (either company-issued or your own personal device) to access your business’s confidential information?
Employees expect to be able to access corporate information remotely. But increasing connectivity means more vulnerability. IT departments frequently find themselves torn between securing networks and catering for the needs of employees, particularly when it comes to Bring Your Own Device (“BYOD”) policies. Their protestations about security concerns and software support are often trumped by claims of improved productivity by senior executives wanting to use their familiar personal devices.
A recent survey indicated that 73% of businesses were allowing non-IT managed devices access to business resources. But this brings big risks – 59% of businesses recently reported an increase in malware infections due to insecure mobile devices being used in the workplace.
Cyber-security is no longer just an IT issue. Whilst I am sure that you, the security-conscious reader of this blog would never do such a thing, 59% of employees circumvent or disable security features (such as passwords and key locks) on their corporate and personal mobile devices. Put simply, employees have become complacent about the risks involved in accessing sensitive information on what are really rather losable and potentially insecure devices.
The stats speak for themselves: one in six Britons lost their mobile in 2010 and 72% of UK organisations admit that employees have lost confidential information on USB memory sticks. Aside from the obvious embarrassment and that rather shamefaced call to the IT department to report a “temporarily misplaced” device, there are also the rather more serious issues of business reputation and data protection legislation to worry about.
In January this year, the European Commission proposed a comprehensive reform of the EU’s data protection rules. The new legislation (to be implemented from 2014) would require public and private sector organisations to notify “both individuals and the relevant data protection authority without undue delay, where feasible within 24 hours, if data is accidentally or unlawfully destroyed, lost, altered, accessed by or disclosed to unauthorised persons.” The regulatory authority could impose fines of up to €1m or 2% of global annual revenues for failing to comply.
Combine this with the growing adoption by businesses of cloud computing and one can understand why global spending on cyber-security is expected to grow at 10% a year over the next three to five years. The mid-market has seen its fair share of transactions recently, with Sophos’s purchase of Astaro, Corero’s acquisition of Top Layer Security, and Lyceum’s secondary buy-out of Clearswift. This sector is definitely going to be one to watch in 2012.
And do try to avoid losing your phone next time you are out of the office…