Mobile Device Data Losses Pose Rising Security Risk: Survey

Organizations are increasingly becoming dependent on mobile devices, but they face big security challenges as lost or stolen devices compromise sensitive data

Mobile devices are increasingly becoming a key security risk for enterprises as employees access sensitive company information using smartphones, tablets, laptops and netbooks. However, most employees are not thinking enough about protecting corporate data when using these devices, a recent survey shows.

One in three employees polled kept sensitive work-related information on their mobile devices, according to a report published May 24 by McAfee and Carnegie Mellon University. Even though 95 percent of companies have mobile-security policies in place to protect enterprise data, two-thirds of employees were not aware of their organizations' policies, the survey found. Most of the companies reported their employees do not understand how permissions and other access settings on their mobile devices work.

The mobile device problem goes both ways. While many employees use their personal devices to handle work-related tasks, such as accessing corporate email and viewing documents, nearly 63 percent of work-issued mobile devices were being used by employees for personal activities, the report found.

"Devices are no longer just consumer devices or business devices. They are both," said Richard Power, a CyLab Distinguished Fellow at Carnegie Mellon University and the primary author of the report.

The survey found that 72 percent of devices used for work were laptops, and 48 percent were smartphones. Just 10 percent of devices used by the respondents were tablets. Almost half of organizations said they were very reliant on mobile devices and 70 percent claimed to be even more reliant than they were 12 months ago.

BlackBerries are no longer the enterprise standard as businesses now operate in a "heterogeneous mobile environment," the report said.

The biggest mobile security concern for organizations was the fact that sensitive data was getting compromised when these devices were lost or stolen. About 40 percent of the companies participating in the survey have experienced the loss or theft of mobile devices and nearly half of those devices contained "business-critical data."

Over 33 percent of those devices had a "financial impact" on the organization. The exposed sensitive data included user data such as contacts, phone logs, email, documents and text messages, and other data such as customer information, corporate intellectual property, financial documents and employment records.

"Data loss remains a huge problem for both consumers and businesses," said Todd Gebhart, executive vice president and general manager of the consumer, small business and mobile group at McAfee.

The study found that organizations are considering using location-based technology to track down lost devices. "It may provide a loss of privacy to the employee, but the increased recoverability of the device to the user," CyLab's Michael Farb said in the report.

Considering that banks can tell when someone is using a credit card in unusual locations and can take steps immediately, researchers were surprised that companies aren't using similar location-aware products to protect their data. Behavior monitoring combined with location can "significantly" strengthen mobile security.

"I find it disturbing that only 22 percent are using location now and that 30 percent are not even considering it," Martin Griss, director of the CyLab Mobility Research Center, said in the report.

Risky behavior and weak security measures are commonplace, said the report. Companies were concerned those mobile devices may introduce malware onto the network or that employees might share sensitive data in unauthorized ways. Fewer than half of users back up their mobile data more than once a week, and nearly half of the users store passwords, pin codes or credit card details on their mobile devices. One in three stored sensitive work-related information on their mobile devices, the report found.

Businesses need to be savvy about the risks involved with enterprise mobile use, set more nuanced policies, and provide increased education for employees so that they understand policies and why they are in place, the researchers concluded.

Over 1,500 individuals from 14 countries were included in the "Mobility and Security: Dazzling Opportunities, Profound Challenges" survey. The report focused on the consumerization of IT and its impact on security by looking at two perspectives, that of a senior IT executive in companies with more than 100 employees and of the general "end users" with mobile devices in the workplace.