Corporate data left unprotected in the wild
A new survey conducted by YouGov has highlighted the risks to corporate data from poor encryption, and employee use of unauthorised and inadequately protected devices. The survey of British office workers found that 42% use devices not provided by their employer to work with corporate e-mails and files. Half (52%) also use personal online accounts, such as Enterprise File Sharing Services (EFSS) to store or access work files – with only 34% saying they have never done so.
Office workers claim to use a wide range of personal devices to store or access work files and systems including laptops (30%), smartphones (22%) and USB Storage devices (17%). The top three personal online accounts used by office workers to store and access work files are Hotmail (14%), Gmail (13%) and Dropbox (10%).
Yet these personal devices often lack the same level of security that an enterprise would employ, putting corporate data at risk. For example, only 52% of respondents protect all their devices with up to date security software.
Although it is the employee’s responsibility to protect personal devices, employers need to do more to control and protect the way in which corporate data is moved. Otherwise, data leaves the organisation without the correct security controls in place – ultimately it should always be under the protection of the organisation, even when it exits the firewall.
Limited protection can lead to data loss
Only 18% of office workers surveyed said their employer always encrypted the files accessed through personal devices or stored on personal online accounts. Working on data remotely helps employees be flexible and productive, however, one of the most common ways for data breaches to occur is through the loss of a device.
An unprotected device, with unencrypted corporate data may include credit card, medical, or other personal customer data, as well sensitive corporate data and systems, open to use by unauthorised individuals. Such losses and limited protection, can lead to identity fraud and a company failing to meet the standards expected by regulators.
The EU General Data Protection Regulation (GDPR), will apply to UK companies from 2018 that are ‘controllers’ or ‘processors’ of European personal data, regardless of the UK decision to leave the European Union. There are stringent rules on the management of personal data, and hefty fines for failures that lead to a breach, accidental or otherwise. Personal data will include identifiers such as an account numbers and even IP addresses.
“IT departments need to consider carefully how they strike the balance between giving employees the flexibility they need, and ensuring the security of corporate data. Achieving that requires a combination of software and employee education, to help improve personal IT habits that are out of control of the workplace. This is one of many areas where encryption can play a key role, protecting data stored in the cloud and on remote devices, on personal as well as corporate accounts. Encryption remains the last line of defence, when an online account is breached or a device lost,” said Mark Hickman, Chief Operating officer at WinMagic.
Passwords still a risk
Recently publicised data breaches are just a few of the examples that have led to millions of usernames and passwords getting into the hacking community. With, 26% of office workers admitting they use the same password for some of their work account and personal online accounts, hackers are gaining direct access to both employer and personal accounts. 5% stated they use the same passwords for all work and personal accounts.
Despite admitting the failings of their home security habits, 20% of office workers stated their company allows the use of personal online accounts and devices to access work files, if employees have adequate security software installed. A further 35% confessed that they should not use personal accounts and hardware at all according to their company policy.
Hickman continued, “Employees are simply trying to get their job done as efficiently as they can, but are often unaware of the risks they could be exposing their employer to. With effective device and encryption management strategies, IT departments can provide transparent and frictionless protection to data, without hampering the productivity of the workforce.”