Quick Links

< Back

Security : Cloud : Mobile :  

Compliance Pros Need to Beware of Mobile Data Risks

By Moti Rafalin
Moti Rafalin

In its “2013 The Risk of Regulated Data on Mobile Devices” study, the Ponemon Institute dove deep into an issue with which compliance professionals are all too familiar. For financial and IT teams charged with protecting regulated data, the proliferation of smartphones and tablets in the workplace is cause for concern. Workers now access, store and share sensitive enterprise data on their own mobile devices. That data – which includes account numbers, passwords and PINs, employment records, authentication data, Social Security numbers, mobile phone numbers, payroll and benefits information – is too often unprotected. According to the Ponemon Institute’s survey of 798 IT professionals, few companies are proactive in protecting this type of data, and many are opening the door to potential compliance breaches.

Among the most concerning results are these:

  1. Participants don’t know how much regulated data employees have on their mobile devices or share in the cloud.
  2. Companies don’t have processes in place to prevent regulated data access via insecure devices.
  3. Organizations are not leveraging business tools that can safeguard sensitive data.
  4. Few enterprises monitor activity related to regulated data and how it is used on mobile devices or in cloud applications.
  5. Employees frequently dismantle or evade data protection solutions that are in place.

Compliance starts with knowledge

The lack of knowledge around highly sensitive data usage is among the most concerning results of the report. Nearly 60 percent of those surveyed said their companies allow employees to bring their own devices and use them for work purposes, but fewer than 20 percent said their employers know how much regulated data is on those devices. The lack of knowledge extends to cloud-based file sharing applications, as well. When asked a similar question about regulated data shared via services such as Dropbox or Box, only 16 percent of respondents demonstrated a clear understanding of how much regulated data is shared. 

Given this lack of information, it shouldn’t be surprising that 69 percent of the survey pool said regulated data on mobile devices poses a serious risk to the enterprise. Unfortunately, enterprises don’t seem to be putting the necessary oversight or governance practices in place to mitigate that risk, and they aren’t stopping employees from accessing regulated data using unsecured mobile devices. Three-quarters of the survey participants said they find it difficult to stop staff from using insecure equipment to access regulated data. Adequate compliance and governance processes, as well as technologically advanced solutions, could alleviate this problem. However, the Ponemon Institute found that not only are these processes infrequently adopted, but many IT leaders don’t fully understand compliance regulations or how they relate to data on mobile devices in the first place.

To remain in compliance, enterprises must act

There are “serious deficiencies” in how companies protect – or fail to protect – their regulated data, according to the report. More than 60 percent of those surveyed said their companies aren’t careful about safeguarding this data, and they aren’t making the protection of regulated data on mobile devices a priority.

Furthermore, few participants reported any type of monitoring over those who access and use regulated data via mobile devices in their companies. This is particularly disturbing when one considers the fact that 63 percent of employees use laptops, tablets or smartphones to do their jobs, according to the Ponemon Institute, and about half of those workers are dealing with regulated data.

That raises serious compliance questions for enterprises. How could these activities compromise customer privacy? Are we risking compliance if we don’t even have a basic policy to outline acceptable use of mobile devices and sensitive data? How can we reassure customers that their personal information is secure? What kinds of processes or technology could give us adequate insight into user activity? How do we get employees to buy into more compliant use of this data via mobile devices? 

Courting employee buy-in is a critical piece of the compliance puzzle when it comes to regulated data and employee-owned mobile devices. That’s because at one time or another, most employees have disabled or evaded the enterprise security settings on their smartphones and tablets. This is not malice. It’s a strong desire for easier collaboration and sharing, and a basic misunderstanding of what is at risk. According to the Ponemon Institute’s findings, only about twenty-five percent of IT leaders believe staff understand why the enterprise must protect regulated data on mobile devices, and most believe employees find ways to circumvent any security features that are in place. That is easy to do when the most frequently used security options were never intended to protect data on mobile devices. Manual policies and procedures, passwords or device key locks, network security solutions, virtual private networks (VPN) from mobile devices and anti-virus/antimalware software are all inadequate for the challenges compliance teams face in protecting regulated data via smartphones, tablets and cloud sharing services.

Data-centric protections make more mobile sense

Compliance officers understandably look at the rise of mobile devices and see increased risk. Workers, however, see increased productivity, collaboration and efficiency. The two points of view can find common ground – if enterprises take steps to adequately protect the regulated data employees want and need to access in order to do their jobs on the go.  The Ponemon Institute study illustrates a need for greater knowledge and action from the IT leaders charged with maintaining compliance and security over regulated data. It’s clear from the respondents’ own feedback that they understand the implications of inaction. Fifty-four percent of participants said their enterprises had suffered data breaches due to mobile device theft or loss, and they reported an average of approximately 6,000 compromised records. And when nearly half of such a large survey says they’ve had to report data breaches to a regulatory agency, it’s clear that something needs to change.

Compliance teams must lead the way in raising awareness of the mobile security risk and instituting more effective protections for companies, employees and sensitive data. With data-centric protections in place to encompass employee-owned smartphones and tablets, enterprises can squash data breaches, support mobile productivity and ensure regulatory compliance.

Moti Rafalin

Moti Rafalin is the co-founder and CEO of WatchDox, a provider of secure mobile productivity and collaboration solutions that enable the confidential sharing of important or sensitive files in an easy and secure way.

Advertise your product/service here!
About Us Editorial

© 2019 Simplex Knowledge Company. All Rights Reserved.   |   TERMS OF USE  |   PRIVACY POLICY