Smartphones and tablets have become as essential to businesses in recent years as computers, allowing employees to access company data remotely at any time from almost anywhere. While these mobile devices are valuable when it comes to conducting business, they also pose security risks. Is increased efficiency, mobility and accessibility worth the increased risk of a data breach?
According to The Impact of Mobile Devices on Information Security, a survey of 768 information technology professionals conducted by Dimensional Research, 89 percent of respondents said their mobile devices are connected to corporate networks. Meanwhile, 65 percent allow employees' personal mobile devices to connect to corporate networks.
Increased opportunity often comes with increased risk, with 71 percent of respondents saying that there has been a rise in mobile device security incidents. In addition to risks posed to businesses, mobile devices also make customers vulnerable, with 47 percent of respondents saying that customer data is stored on mobile devices.
A separate survey from the Ponemon Institute makes it clear that the risks posed by business mobile devices are not going away, with 77 percent of respondents saying that mobile devices are essential for achieving business goals.
While most businesses focus on desktop security and try to prevent data loss over web and email channels, mobile device security require just as much attention. Tablets and iOS devices are replacing corporate laptops as employees bring their own devices to work and access corporate information. These devices increase the potential for a data breach of sensitive data.
According to Advisen, lost or stolen devices, mobile malware and web-based threats are the biggest concerns that organizations face when it comes to handheld and mobile devices.
Lost or Stolen Mobile Devices
Physically securing mobile devices, as well as the data stored on them, has and will continue to be difficult. A 2011 study by Kensington on lost or stolen mobile devices revealed the following statistics:
- One laptop is stolen every 53 seconds
- 70 million smartphones are lost each year and only 7 percent are recovered
- 4.3 percent of smartphones issued to employees are lost each year
- 52% of devices are stolen from the workplace
According to a Juniper Networks 2011 study, there is more malware targeting mobile devices than ever before. A device can be infected as a user unknowingly downloads a malicious application that has been posted to an app store.
Web-based threats include phishing scams executed via websites, email, text messages and social media as well as downloads that occur by visiting malicious web sites or through a vulnerable flash player, PDF reader, or image viewer.
Minimizing risks from mobile devices
Data from the Ponemon Institute's study on mobility risks showed that only one-third of companies in the U.S. have mobile device usage policies. This lack of oversight is a major problem, but it can be addressed quickly. Businesses that have not done so already should create specific policies regarding mobile devices for both business and personal use. These policies should:
- Identify risks
- Describe how mobile devices connect to the network
- Detail the kind of company data that can be stored on a mobile device
- List tips and steps on how to protect mobile devices
- Provide instructions on how to report a lost or missing mobile device so it can be remotely disabled
While issues such as hackers and malware are usually associated with computers, they also pose a problem for mobile devices. This means that employees who use mobile devices to access the internet should follow the same protocols as when they're using a computer. Additionally, regardless of whether a mobile device is used for business or personal use, if it connects to a company network, its security should be a priority. This means avoiding untrustworthy applications that could contain malicious software.
Businesses need to dictate how sensitive information can be accessed by employees. Important data should only be accessed by essential parties, which will limit the risk of security breaches and make it easier to track who is privy to sensitive information.
Businesses must also ensure that their networks are secure by:
- Implementing data encryption
- Strengthening passwords
- Protecting access from unauthorized individuals
Obtaining proper insurance coverage
Due to the increased use of mobile devices by employees, it is critical that businesses understand whether their insurance provides coverage for a data breach caused by a lost mobile device or by access derived from syncing a company's mobile device to an employee's personal computer.
According to Darren Caesar, Executive Vice President and Chief Marketing Officer at HUB International Insurance Services in California, "If your company has a cyber insurance policy, it should be reviewed to determine whether the company has specific coverage for a data breach caused by employees' use of their mobile devices. These policies vary by insurance company and specific endorsements may need to be added."
Most cyber insurance policies cover the costs of:
- Investigation of the data breach
- Determination of the type of notification that must be provided to customers
- Crisis management and public relations firms
- Credit monitoring costs as well as remediation to correct the breach event
Speak with a HUB International broker to determine what kind of insurance solutions, such as cyber liability coverage, can protect your business from financial losses resulting from privacy breaches and security threats. HUB can also help you identify vulnerabilities and recommend steps to protect your company and your customer information.
Proactively identifying potential mobile device exposures and implementing the necessary security controls and enforceable policies will allow your business to mitigate its risk. Talk to your HUB broker today.