Smartphones and tablets are now as essential to most businesses as computers, allowing employees to access company data remotely at any time from almost anywhere. While these mobile devices are valuable when it comes to conducting business, companies need to balance the benefits of increased efficiency, mobility and accessibility with the increased risk of a data breach.
According to Dimensional Research, a survey of IT professionals throughout Canada, as well as in the U.S. and overseas, found that 89 percent of businesses have mobile devices connected to corporate networks. 65 percent of respondents said employees' personal mobile devices are also connected to corporate networks. With more people accessing sensitive information, security risks are also on the rise.
71 percent of respondents said mobile devices have contributed to increased security incidents, with much of the blame being attributed to employee carelessness. In fact, 72 percent of IT professionals said careless employees represent a greater security threat than hackers.
Customers are also put at risk through mobile devices, as 47 percent of respondents report that customer data is stored on mobile devices.
This risk can be even greater for small and mid-sized businesses. According to a survey from business software firm Sage, 78 percent of small and mid-sized Canadian businesses reported using mobile devices to access work-related information. Of this number, remote access is reported to have grown exponentially in the past year, with laptop use increasing 48 percent, tablet use 64 percent and smartphone use 78 percent.
"IT has spent years working on desktop security and trying to prevent data loss over web and email channels - but mobile devices are radically changing the game," said Tom Clare, senior director of product marketing management at Websense Security. "Tablets and iOS devices are replacing corporate laptops as employees bring-their-own-devices to work and access corporate information. These devices open the door to unprecedented loss of sensitive data."
The use of mobile devices to conduct business will likely only increase in the coming years, making it important for businesses to recognize the threats inherent in this technology and put policies in place to address them.
Lost or stolen mobile devices
Physically securing mobile devices, as well as the data stored on them, has and will continue to be difficult. In fact, lost or stolen devices present such a problem that the Canadian wireless industry has spent approximately $20 million to set up a blacklist database for mobile devices that have been lost or stolen, to prevent them from being used by criminals.
A recent report from Juniper Networks shows that mobile malware threats increased by a staggering 614 percent between March 2012 and March 2013, with more than 275,000 total malicious mobile applications targeting mobile devices. A device can be infected if a user unknowingly downloads a malicious application that has been posted to an app store.
Web-based threats include phishing scams executed via websites, email, text messages and social media as well as downloads that occur by visiting malicious websites or through a vulnerable Flash player, PDF reader or image viewer.
Minimizing risks from mobile devices
Businesses that have not done so already should create specific policies regarding mobile devices for both business and personal use. These policies should:
- Identify risks
- Describe how mobile devices connect to the network
- Detail the kind of company data that can be stored on a mobile device
- List tips and steps on how to protect mobile devices
- Provide instructions on how to report a lost or missing mobile device so it can be remotely disabled
While issues such as hackers and malware are usually associated with computers, they also pose a problem for mobile devices. This means that employees who use mobile devices to access the Internet should follow the same protocols as when they're using a computer. Additionally, regardless of whether a mobile device is used for business or personal use, if it connects to a company network, its security should be a priority. This means avoiding untrustworthy applications that could contain malicious software.
Businesses need to dictate how sensitive information can be accessed by employees. Important data should only be accessed by essential parties, which will limit the risk of security breaches and make it easier to track who is privy to sensitive information.
Businesses must also ensure that their networks are secure by:
- Implementing data encryption
- Strengthening passwords
- Protecting access from unauthorized individuals
Obtaining proper insurance coverage
Due to the increased use of mobile devices by employees, it is critical that businesses understand whether their insurance provides coverage for a data breach caused by a lost mobile device or by access derived from syncing a company's mobile device to an employee's personal computer.
According to Darren Caesar, an Executive Vice President and Chief Marketing Officer at HUB International Insurance Services, "If your company has a cyber insurance policy, it should be reviewed to determine whether the company has specific coverage for a data breach caused by employees' use of their mobile devices. These policies vary by insurance company and specific endorsements may need to be added."
Most cyber insurance policies cover the costs of:
- Investigation of the data breach
- Determination of the type of notification that must be provided to customers
- Crisis management and public relations firms
- Credit monitoring costs as well as remediation to correct the breach event
Speak with a HUB International broker to determine what kind of insurance solutions, such as cyber liability coverage, can protect your business from financial losses resulting from privacy breaches and security threats. HUB can also help you identify vulnerabilities and recommend steps to protect your company and your customer information.
Proactively identifying potential mobile device exposures and implementing the necessary security controls and enforceable policies will allow your business to mitigate its risk. Talk to your HUB broker today.