Why employees are the biggest not-so-hidden threat to your business data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.appstechnews.com/news/2014/mar/26/why-employees-are-biggest-not-so-hidden-threat-your-business-data/

Which is the bigger security threat to your business; cyber criminals, or
your own employees?

Increasingly that question is being answered with the latter - and research
from EE out today has revealed that nearly 10 million devices were lost by
UK employees last year.

The survey of 2000 UK consumers, conducted by Vision Critical in March,
found that nearly one in five (19%) lost a device on a work night out,
while a further 16% of devices continued their journey on public transport
long after their owners had alighted.

Elsewhere, 12% of those polled said they had left a device in the back of a
taxi, while one in 10 (9%) employees admitted to losing their device in a
public toilet. Two thirds (63%) of devices lost were smartphones, compared
to 21% of laptops - not the sort of thing which just falls out of one's
pocket - and 10% for tablets.

The research calculated that four non password-protected devices for every
10 people were lost - so multiplying the 0.4 devices per person with
24,453,900 - the approximate number of employees who have access to
corporate data on their device (81% of 30.19m, the number of UK adults in
employment), and you get an eye watering 9,781,560.

Here ends the maths lesson. But it's an interesting piece of survey data,
even if the calculations are an approximation - and more proof to the CEO
about how dangerous their own employees could be when keeping company data
under wraps.

Enterprise AppsTech has presided over several industry reports over the
months, and a trend is certainly beginning to emerge. Earlier this month
Morrisons suffered a data breach due to an employee, which was covered
here. But it's deeper than that.

In July last year, a report from IT Governance revealed that for more than
half of CIOs, the greatest threat to sensitive company data came from their
own employees rather than external forces. A month earlier, a study from
Check Point put the number at nearer two thirds.

Even more worryingly, one in four US enterprise workers claimed there
should be no punishment for loss of company data as "data security [was]
not their responsibility", according to research from Absolute Software.

Worried? How about when the Royal Veterinary College broke the Data
Protection Act back in October - as detailed by the Information
Commissioner's Office (ICO) - after an employee lost a camera with
sensitive information of job applicants? With a nice line in irony, not six
months earlier the ICO had released a report warning of a 'laissez faire'
attitude amongst companies - fewer than three in 10 BYOD-friendly workers
had been given appropriate guidance and contingency, according to the ICO.

It can cut both ways. In July last year Aruba Networks released a paper
which detailed how employees don't trust their employers with personal
data. Ben Gibson, Aruba CMO, said at the time: "Employees resent the power
their employers now wield over their personal data, but are equally
concerned about keeping company data safe."

The latter point can't be underestimated. 94% of companies surveyed in the
Check Point report admitted that lost and stolen data was a "grave
concern." So what can be done?

Wouldn't you know it - EE is releasing a mobile device security product
alongside its survey results. The operator is getting into bed with
MobileIron to enhance its enterprise mobility play by unleashing the Super
Secure 4GEE portfolio offering security for a wide range and size of
companies.

There are three levels - from starter, providing basic email, Wi-Fi and
MDM, to enterprise providing more advanced MAM and functionality across IT
systems, and regulated for companies with the most secure data - legal,
financial and government. There's also an SME version, in partnership with
MobileIron.

Of course, other enterprise mobility management vendors are available and
the importance of mobility management, from the device to apps and content,
cannot be understated.

But don't forget to educate your employees, even if they don't like the
admin - which they won't - and offer continual feedback and dialogue to
avoid playing a messy and expensive blame game later on.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!