There’s little doubt that employees want to use a growing range of devices to access data. Recent research shows that while Windows-based desktop and notebook PCs still dominate, they are fast being supplemented by a diverse range of alternative form factors and operating systems.
In the new survey, which was sponsored by Trend Micro, 88 per cent of small and mid-sized businesses say at least some of their employees are using smartphones for business purposes and 43 per cent report at least one or more of their employees use tablet PCs.
These devices are not always owned by the business. Some 74 per cent of the firms questioned say some of the devices used belong to staff. Respondents to the survey cite more efficient business processes as the biggest benefit of enabling access to data from mobile devices.
However, whatever the benefits, such sharing creates security headaches for IT managers, especially as most of the sharing is over public networks. Only if data can be shared safely will businesses have the confidence to embed mobile users and their chosen devices into business processes.
Discussions about IT security usually focus on reducing the risk posed by outsiders or malicious insiders. Mitigating these risks remains paramount but it is also important to make sure that a compliance-oriented architecture protects well-intentioned employees from themselves.
The most common way data leaks occur is through the accidental actions of employees. They need to share data but may accidentally share the wrong data with the wrong person by email or some other communication channel.
And of course they may, if it is not controlled in some way, store data on mobile devices that are subsequently lost or stolen. Theft, accidental loss and erroneous disclosure are by far the most common reasons for self-report data breaches, as data in the report shows.
The irony is that while data loss is a common problem, despite the many high-profile incidents – not least the recent problems at Sony – lost data is actually rarely compromised. The thief who steals an iPad is more likely to be interested in the resale value of the device than the data stored on it.
Yet that fact does not cut any ice with regulators. Good management of personally identifiable information is obligatory. Organisations must comply and be seen to comply. A compliance-oriented architecture involves putting in place the ability to control the use of data, monitoring and controlling what is being sent by email and what is being copied where. It should also be used to control the printing of data, an often overlooked source of data leakage.
Data loss prevention, or DLP, tools are designed to track the movement of data and allow the enforcement of policies regarding its use, including the copying of data to mobile devices. However, data loss prevention is not enough on its own for ensuring the safe use of data on mobile devices. One of two approaches to the use of data on mobile end points must be adopted. The first is to stop data ever being copied to them in the first place.
This approach involves only allowing access to sensitive data that is stored centrally, either through the use of virtual desktops – such as Citrix XenDesktop and Microsoft Remote Desktop Services – or via a secure file-sharing service, for example, Trend Micro’s recently announced Safe Sync for Business or portal services such as Microsoft SharePoint.
If it is accepted that sensitive data will end up on mobile devices then a second approach to endpoint security must be taken, through the securing of the device itself. This approach involves encrypted storage.
Deploying and managing encryption has a cost, especially with a growing diversity of operating systems, and while encryption might sound like the only foolproof way of protecting data, it is not the be all and end-all.
Remember that the devices are increasingly personally owned and therefore there are limits to what IT departments can do with them. Furthermore, encryption only protects stored data and data in transit.
Employees must be able to decrypt data to use it, and then it becomes vulnerable again. Other points of vulnerability are if users select weak passwords or if strong policies result in passwords being written on a piece of paper that is held with the device.
There is no silver bullet for securing the use of data. It involves implementing a number of measures that add up to a compliance-oriented architecture. The range of measures required will depend on how a business approaches IT and its attitude to risk.
However, when broaching the subject of investing in technology to increase the security of data, it is essential to point out the value that any given investment will bring to a business as well as the risk it will mitigate.