The biggest threat to businesses is in their employees’ own hands

[Inga Goddijn <inga () riskbasedsecurity com>]

Companies everywhere spend a lot of time focused on outside security
threats like hackers and organised cybercrime groups. But the truth is that
businesses’ greatest threat is in their employees’ own hands: mobile
devices. The smartphones, tablets, and other tools that have become
integral to our lives—both professionally and personally—are betraying us.
Combating shadow BYOD needs to be every company’s next big priority.

We live in an age where we’re constantly juggling our different devices and
increasingly doing work on demand, calling up files on our phones in an
airport, on a tablet at a meeting, or on our laptops when we work from
home. I watched with interest as this shift in workplace norms took hold at
my own company and many others, and I’ve been fascinated to watch, for
years now, as sync-and-share services have evolved to make this change
nearly effortless. In fact, now working remotely and on devices is
something most of us take for granted. All our files are on all our devices
and in the cloud, ready to be accessed anywhere, anytime. That’s
great—until it isn’t.

It’s a commonly cited fact that lost or stolen mobile devices are one of
the primary causes of data breaches, but people still don’t appreciate the
risk. Just recently, Lahey Hospital was required to pay $850,000 and enact
a robust corrective plan for a HIPAA violation incurred after a laptop with
unencrypted information was stolen. More than 3 million smartphones are
stolen every year (and another 2 million are lost), and 40 per cent of
employees use personal smartphones and tablets for work purposes, so the
numbers add up.

The device problem is more complex than mere employee carelessness. While
popular cloud storage providers offer substantial security measures that
encrypt and protect files on their servers, they weren’t designed to
protect files synced to mobile devices. So when data does get pulled down
to devices, you’re on your own.

Every day, employees are syncing corporate files, patient records, and
company IP to their devices to work from home, prepare for presentations,
or meet with clients. If they even think about it (and to be honest, they
probably don’t), they likely assume the cloud provider’s security extends
to their synced files, too. It’s a reasonable assumption, but that
oversight leaves thousands of files exposed on the cloud—often unbeknownst
to their employers, who may not even be aware that this is a problem.

I’ve worked with many CEOs and CTOs in the healthcare, finance, and legal
industries, and they’re all curious about how to stop this plague. Data
breaches are reaching an all-time high—so what can businesses do about it?
Keeping a few practical steps in mind will make a world of difference
to your company’s security:

*1. Don’t crack down on the cloud, but to find ways to protect it instead*

Denying your employees the ability to use mobile devices or sync files to
the cloud is only bound to backfire when they find backdoor solutions and
continue using the cloud anyway. Some 80 per cent of employees nationwide
use unapproved cloud software on their work computers or personal mobile
devices, which means that employers have no control over any of the data
that software’s being used for.

*2. Sanction an employee-preferred cloud provider*

Eliminating BYOD won’t solve your problem, but making sure your company’s
cloud use is consistent across the board will. Regaining control—without
being overly controlling—is the first step. And knowing how your employees
want to—and already do—use the cloud is vital.

*3. Secure the cloud on mobile devices and laptops*

Adding an extra layer of encryption to already existing cloud security does
the trick. Encrypting at the file-level safeguards sensitive data before it
ever reaches the cloud and after it leaves it, meaning that when a file is
synced to a mobile device, it’s no longer vulnerable. More importantly,
mobile device loss or theft is no longer your business’ largest threat. The
files stay securely encrypted and only readable by intended users. It’s the
way encryption should always work, everywhere.

*4. Ensure you can block access from devices*

The ability to block device access with the touch of a button is an
important step to keeping company information safe. As soon as a device is
reported lost or stolen, an administrator at the office can block access to
it remotely. This is also key to keeping disgruntled ex-employees from
sabotaging or leaking company files (which is a real threat!). Bear in
mind, of course, that while wiping the data from a device can be
helpful—it’s also time-consuming, depending on how much data is stored
there. Revoking encryption keys, on the other hand, can be done instantly.

*5. Get end-to-end audit trails*

Keep an eye on company files by auditing who’s accessing files on any
devices your employees are using. This is one feature a cloud provider
won’t provide by default but that’s extremely useful. If you notice an
unauthorised user, you can investigate the situation, block access, and
stop a data breach before it’s too late.
<inga () riskbasedsecurity com>By now, cloud usage in a workplace setting is
practically inevitable. But until this device problem is fixed and the
cloud can be used freely, mobile devices will continue to be a major risk.
As IT leaders, we can do better.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!