What’s the biggest threat facing modern-day businesses? According to a recent survey, it could be a data breach on an employee smartphone used for work.
A new study from Wakefield Research, commissioned by IT solutions firm Citrix Systems, Inc., reveals some startling statistics. According to the survey, a whopping 88 per cent of respondents don’t use a work-issued mobile device with appropriate security software installed to keep sensitive data safe. And another 61 per cent don’t have any response plan in place should a data breach occur.
According to Kevin Lonergan, infrastructure solutions analyst at IDC Canada, this is a common issue for many organizations. He says business users don’t implement enterprise mobility management (EMM) solutions in order to keep mobile devices Additionally, many employees don’t bother to install basic security functions on their devices, such as setting up passwords or biometric identification to lock smartphones. And with more businesses adopting a bring your own device (BYOD) policy or simply nit implementing such security software on work-issued devices, breaches of sensitive data can become very real.
“In today’s mobile workforce, employees access corporate networks and resources through external networks using their personal devices,” said Lonergan. “Once a user is outside of the corporate network, the threat landscape they’re exposed to increases greatly. The reality is that at the end of the work day, every employee becomes a consumer, but they still have access to corporate applications like email.”
Kurt Roemer, chief security strategist at Citrix, said another error in judgement he sees many businesses make is downloading consumer-grade apps to solve immediate problems. But opting for a quick fix from the App Store versus an enterprise-level solution can really hurt businesses in the long run.
“IT has a lot of rigorous processes that they use to get new applications and new services up and running, but line of business managers are often focusing very myopically on the need of the day,” says Roemer. “Line of business users can basically go out and buy their own IT these days. What’s often seen as a great way to get new projects up and running and maybe even save some money and keep from dealing with IT … [but] one of the biggest problems is that line of business managers will oftentimes choose a solution that’s really specific to their department or their immediate need and not be thinking longer term about how is this going to grow, what are the security policy/contractual needs, other things like that that can add up to a lot of costs and liability over time.”
He offered the example of EverNote, a popular note-taking app that syncs notations and lists across devices via the cloud. Doctors, lawyers, human resource managers and C-level execs often jot down sensitive information into notation apps like EverNote, and the only thing standing between that information and a potential hack is the password protection set up on their smartphone — and he says that’s simply not enough.
One reason businesses often bump heads with IT (or circumnavigate their procedures altogether) is because not all IT measures are user-friendly.
“If a user’s security policy has a negative effect on productivity, then an organization can expect users to circumvent the policy leading to greater security risks,” said Lonergan.
Roemer added that many IT pros seem to have an automatic “no” setting when business users make queries on adding new software or features to their existing networks.
But all is not lost when it comes to the relationship between IT and business users. In spite of engaging in these dicey behaviours, there are steps businesses (and employees) and IT can take to work together to minimize security risks. Education is one key step, as many people are oblivious that their behaviours are putting their business data at risk.
Roemer offered several other key recommendations to bring businesses and IT back to the same page when it comes to security:
- IT professionals should get out there and understand why businesses are bypassing their procedures.
- Help educate business users about their risky behaviours. More often than not, they don’t understand that their habits could lead to security issues and make their company liable down the road. A little training can go a long way toward addressing these kinds of bad habits.
- When business users make a query, respond with “yes, but…” rather than automatically saying no. Only respond negatively when their suggestion could damage the business or cause security issues.
- Strike a balance between enterprise-grade security and a consumer-like experience. IT can work with business users to find solutions that offer both, as well as incorporate other functions that make business users’ lives easier (like single sign-on to access networks, software, etc.)