Infosec 2012: Poor mobile security exposes UK firms to massive risk, study shows

UK organisations are running IT security risks by failing to respond to the trend of employees using their own mobile devices for work

UK organisations of all sizes are opening their IT systems to security risks by failing to respond to the trend of employees using their own mobile devices for work, a study has revealed.

Only 39% of large organisations encrypt data downloaded to smartphones and tablets, according to the preliminary findings of the 2012 Information Security Breaches Survey by PricewaterhouseCoopers (PwC) and Infosecurity Europe.

The survey of security professionals at more than 400 organisations found 75% of large organisations and 61% of small businesses allow staff to use smartphones and tablets to connect to their corporate systems.

Yet only 39% of large businesses apply data encryption on the devices. This falls to 24% with SMEs.

A substantial 82% of large organisations and 45% of small businesses reported security breaches caused by staff, while 47% of large organisations and 20% of small businesses said staff lost or leaked confidential information.

The survey shows that personalisation is creating new security threats, from malicious software and data loss. Organisations that allow personally owned devices tend to have weaker controls than those that allow corporate devices only. 

Chris Potter, PwC information security partner, said that, with the explosion of new mobile devices and the blurring of lines between work and personal life, organisations are opening their systems up to substantial risk.

"Smartphones and tablet computers are often lost or stolen, with any data on them exposed. Mobile devices can literally drill straight through your security defences, if you’re not careful," he said.

However, the survey shows organisations are not responding to these new challenges. "Just as we saw a decade ago with computer viruses, companies are slow to adjust their controls as technology usage changes," said Potter.

It is vital of organisations to tell their staff about the risks, he said, otherwise employees could inadvertently become a significant security threat.

"It’s clear how important Smartphones and tablets have become - as confidential data is increasingly stored on them, the chance of data breaches increases," he said.

Some 54% of small businesses and 38% of large ones do not have any kind of programme for educating their staff about security risks, the survey found. Only 26% of respondents with a security policy believe their staff have a very good understanding of it, while 21% think the level of staff understanding is poor.  

Three quarters of organisations whose security policy is poorly understood, admitted having staff-related security breaches in the past year.

One in seven organisations that give a high or very high priority to security have not written down their policy; most of these are small businesses that rely on word of mouth instead, but only a third think their staff fully understands it.  

Companies that have invested in staff awareness training are reaping the benefits, as they are four times as likely to have staff who clearly understand the security policy, and half as likely to have staff-related security breaches as organisations that don’t train their staff.

Potter said setting out security is essential to ensure staff know what risks to look out for, how to handle data appropriately and what to do if a breach occurs.

"The root cause of security breaches by staff is often a failure by organisations to invest in educating staff about security risks.  Yet organisations are failing to promote a culture of security awareness so staff are often unaware of the risks they’re posing," he said.

According to Potter, breaches often occur through ignorance rather than malice. "Having a security policy by itself does not prevent breaches; staff need to understand it and put it into practice," he said.

Full results of the survey will be presented by PwC on 24 April at Infosec Europe 2012 in London.


Read more on Network security strategy