A new study commissioned by global ICT services provider Dimension Data has found that over half of organisations in the UK allow employees to bring personal mobile devices such as iPads and smartphones to work, despite knowing that such devices could make their networks insecure.
The independent study into data loss prevention in UK businesses found that 84% of CIOs and IT managers of large UK organisations know that user-owned devices — such as iPads, tablets, laptops, or smartphones – represent an important, growing security risk. Yet, over half (51%) allow the use of such devices for work.
The report comes when governments and large private businesses across the world are calling for a coordinated fight against the fast growing cyber attacks.
Moreover, the study shows that an alarming 39% of the businesses that allow user-owned devices for work do not use encryption to protect the corporate data on them.
The report also reveals that 82% of respondents agree that opening up corporate data to employees to support mobility and productivity significantly increases the risk of serious, damaging security incidents.
Yet around one in five (17%) of organisations that support remote or mobile working do not have anti-virus protection on their mobile devices, and a third (34%) lack anti-spam software.
The study, conducted by Vanson Bourne on behalf of Dimension Data, involved a representative sample of IT decision makers (CIOs, IT Directors, IT Managers, etc.) from UK businesses with over 500 employees. The 200 respondents were surveyed in February and March 2011.
Dimension Data UK security business manager Chris Jenkins said too many businesses are leaving the door to their corporate data wide open, so it’s no surprise our study shows that the biggest cause of data loss is via accidental loss by employees.
Jenkins said, "If you allow employees to connect their own devices to the corporate network, you have to accept that company data will be stored on them when the user leaves the premises."
Jenkins also warned that mobile devices are easy targets for cyber criminals.
Jenkins said, "High-value smartphones, laptops and tablets are prime targets for thieves and can be compromised by malware, potentially making it easier for attackers to steal logon credentials, account details or commercially sensitive information."
"Unless you have plans to protect data against this threat, by using security measures such as encryption, you’re risking accidental or even malicious losses."
A recent global study found that 95% of respondents use at least one self-purchased device for work.
"Completely unmanaged mobile devices connecting to the corporate network are obviously a greater security risk than sanctioned, managed devices," says Jenkins, "so their growing presence at work makes this issue even more critical."
Experts say that businesses must use encryption as a primary safety measure and then go for advanced measures to secure their network.
Analyst firm Frost & Sullivan global program director Rob Ayoub said, "Businesses need to go back to basics, and deploy primary security measures such as encryption and up to date security policies, as a matter of urgency."
"However, they are only part of the solution: businesses will need to consider more advanced measures, such as port control and Network Access Control (NAC), to mitigate risks including the accidental or malicious dissemination of data from devices while they are still in the possession of the employee," added Ayoub.
Dimension Data’s Jenkins said that it is possible for organisations to strike a balance between data security the productivity benefits of allowing employee-owned devices at work.
"It’s a matter of balancing the employee benefit of using their device for corporate access against the business requirement for data security. For instance, a business could supply encryption software free of charge to the employee on the basis that they accept that the business retains the ability to remotely wipe the device if necessary," Jenkins said.
Last month, managed services and cloud computing service provider Advanced 365 had said that employees can use their personal IT devices at work without compromising their organisation’s security. The company said cloud computing applications can provide employees with a secure and effective means to do so.
Recently, researchers from technology security company McAfee released a report which said that while an increasing number of consumers use mobile devices for both business and personal activities, most of them are unfamiliar with their employer’s corporate policy on the use of mobile devices.
The study conducted in collaboration with Carnegie Mellon University found that 63% of devices on organistion’s network are used for personal activities as well.