The results of a recent survey by Utimaco, a company that offers data security solutions, show a worrying lack of commitment to the protection of data during time that it spends outside the organizational data center environment. This clearly illustrates the importance of implementing appropriate security policies that cover all organizational data storage and usage.
Utimaco’s research shows that, of over 1,100 business users of mobile data, fewer than 20% protect data with encryption or passwords, or in fact implement any protection except in exceptional circumstances. Worst of all, security guidelines have only been defined in 7.3% of respondents’ companies, which were primarily in the telecoms & IT (27.9%), financial (14.9%), and public services (12.3%) sectors.
Utimaco’s survey results identify a major discrepancy, in that 82.5% of respondents consider the protection of the information on their storage or memory media to be important, but this proportion also equates to the number whose devices are all unencrypted, or only partially encrypted.
Furthermore, 72% of the survey’s respondents said that they use at least two personally managed storage devices for their organization’s information, and over a quarter admitted to having lost at least one such device.
The majority of respondents (95.6%) use USB memory sticks as mobile data media, with 52.3% using memory cards. The purpose of the devices was to exchange data with other people for 85.9% of respondents, and almost two thirds (62.9%) valued the technologies’ capabilities as readily available back-up. The content stored was revealed to be fairly important, from an organizational viewpoint, by fair numbers of respondents, such as the 31.8% who admitted storing customer information, the 26.3% who stored financial figures, and the 26.6% who stored contract details.
One should step back from concerns over this survey’s results to consider, briefly, how security requirements have changed over the last five years or so. In that time, a significant proportion of those in organizational roles that require frequent working with information have been unshackled from their formerly fixed locations, where they were permanently coupled to, and dependent on, the corporate network for the vital information they need. However, in unlocking the benefits available from mobile working, data security is a critical consideration, neglected at the organization’s peril.
Partly due to mobile working, but also to increased access to the heart of organizational applications and systems by internet-based customers, and partner organizations, implementing IT security at the organization’s perimeter is no longer an adequate objective. When corporate information is readily transferable and can be stored outside the firewall, such as on laptop hard drives, PDAs, memory sticks, and disks, it needs to be protected securely, regardless of location, or storage technology.
Any organization now needs to establish a security policy that is information-focused and covers all data storage and usage – and also goes further, and equips end users to be able to implement and comply with such a policy, without undue effort or technology awareness.
Organizations are done a great disservice if, having taken great pains to identify where value lies within their information, this is neglectfully delivered to parties other than they would wish. Mobile working has contributed to more ready creation of such value, in allowing employees the freedom to take information with them while they extend organizational influence to people and companies outside the office environment.
However, this obviously also creates opportunities for hasty or ill-informed information security practice in an environment that can be outside the rigid control of corporate IT.
Employees should have access to technology that ensures that they, as well as information, are proactively protected by their organization’s security policy, rather than later revealed to have been unaware of it, or unable to implement it.
Source: OpinionWire by Butler Group (www.butlergroup.com)