Jon Fielding, Managing Director EMEA, Apricorn
Organisations increasingly acknowledge that it’s their employees who pose the greatest threat to data security, particularly when they’re working on the move. People carry corporate and personally identifiable information (PII) outside the workplace – and its enterprise security controls – every day on mobile, portable and removable media devices, exposing it to loss or theft.
Businesses are not in the dark about the risks. In an Apricorn survey, 29% of organisations said they had suffered a data breach as a direct result of mobile working, while 44% expect that their mobile workers will expose the business to data breaches at some point.
It might be tempting to reduce the attack surface by pulling up the drawbridge; clamping down on flexible working and limiting the use of mobile and cloud platforms for work purposes. Swimming against the tide of evolving work practices will be counterproductive, however, serving only to stifle collaboration and undermine efficiency.
By putting users at the centre of a mobile security strategy, organisations can control, monitor and securely manage data when it’s outside of central systems without compromising availability.
This should begin with identifying the specific risks the business is exposed to from mobile working, and finding any gaps in the security strategy. Carrying out a data audit at this stage will provide visibility of all the information the organisation holds, how it’s used, who is authorised to access it, when and why, and the security controls that are applied to it at the different stages of its journey.
Policies and processes should then be updated to address any chinks in the organisation’s armour, with new ones created and enforced as necessary. The mobile and flexible working practices employees are required to follow must be clearly set out, along with the types of device allowed by the business and how they must be used. Apricorn’s survey found that one in 10 companies do not currently have policies that cover storage devices such as USBs, or remote working and BYOD. Policies need to be simple to understand and comply with, to ensure buy-in from users.
It’s essential that employee training programmes cover the rules they’re expected to follow, but also the value of the data they work with, the risks and consequences of unsecure mobile working, and their responsibilities around protecting information. As well as reducing the likelihood of people inadvertently exposing data to compromise, this will increase engagement and accountability.
By combining education with encryption, the threat from human error can almost be eliminated altogether. Mandating the use of a straightforward corporate standard mobile storage device that features strong hardware encryption, for example, will render information inaccessible to anyone who steals the device or picks it up.
The best tools and processes in the world won’t prevent data loss without culture change, however. The key to turning employees from a security risk into a security asset lies in building a culture of accountability across the whole business. Awareness training, together with leaders that set an example, will help to build an organisation of data security champions who understand – and are committed to – their role in protecting the information they handle.
Come and meet Apricorn at stand P60 at Infosecurity Europe, June 5-7th, Olympia, London