Today many employees store confidential corporate data and applications on their smartphones, tablets, laptops, or all of the above, regardless of whether these mobile devices are personal or company-issued.
Whether it’s a company laptop that occasionally moves between the office and the employee’s home, or a personal smartphone that accompanies its owner everywhere from their local coffee shop to their annual two-week vacation, chances are there’s a lot of corporate data regularly leaving your office.
If your business has a BYOD policy then keeping control of your corporate data may already be a challenge. However, if one of your employees leaves their mobile device in a taxi or a public bus, then you’ll have no idea who has access to your confidential company data – or how they plan to use it.
In this article we’ll be examining why a single lost or stolen mobile device could spell disaster for your company, before sharing 5 steps you can take to reduce the threat that a single misplaced device poses to your business.
Are strangers walking away with your data?
Portable devices such as laptops, smartphones and tablets pose a serious threat: not only does your typical employee’s mobile device contain significant amounts of corporate information, but mobile devices are at an increased risk of getting lost or stolen.
Public transport is one of the most common places where people misplace their mobile devices – between April 2017 and April 2018 a startling 25,690 mobile devices were lost on the tubes, trains and buses of London alone.
No organization is immune to the threat posed by lost and stolen mobile devices. According to the Freedom of Information Act, government staff in the UK lost more than 600 laptops, mobile phones and USB sticks within the span of four years, with the Ministry of Defence being amongst the worst offenders.
According to threat researcher Dick O’brien, putting security measures in place now can ensure that even if an employee’s device is stolen, a third party won’t be able to leak, share or sell the information contained on that device:
“The loss of a device is never good. The outcomes can range from embarrassment and reputational damage at best and the loss of confidential or even classified information at worst. Just how bad the outcome is depends on the level of security of the device.”
So, what steps can you take to ensure that a single misplaced device doesn’t become a huge security breach?
1. Plan for the worst case scenario
According to research by EE, one in six people have left their mobile devices on public transport. With your confidential corporate data at risk, it’s essential that you prepare for at least one of your employees to misplace a personal, or company-issued mobile device.
By creating a clear company policy to manage a missing mobile device you can be confident that your staff will know the exact steps to take, in order to protect your corporate data.
When creating your policy, you should stress the importance of reporting a misplaced device – even if you have all the tools required to secure a device, these will be completely useless if your staff never report the device as missing. A recent study by Kaspersky revealed that only half of employees report the loss of a device within one day, which is plenty of time for a third party to access, leak or even sell your data.
Your policy should also explicitly state that employees should report any misplaced personal device that contains corporate data or applications. When you lose a personal device, contacting your employer isn’t many people’s first thought – without guidance, your employees are far more inclined to contact their service provider, cancel their mobile contact, or examine the small print on their mobile phone insurance, rather than contact you!
All staff members who are responsible for securing a misplaced device should also have access to a clear, step-by-step plan of action. When your corporate data is out in the wild, acting quickly is one of the most effective ways to reduce the risk of a data breach, and a predefined policy can mean the difference between your staff remotely wiping the device within minutes, or calling a lengthy meeting where they can debate how to manage this crisis.
2. Choose technology that offers encryption as standard
Even if a third party does manage to gain physical access to a misplaced device, encryption can make it far more difficult for them to access the information stored on that device.
To illustrate this point, let’s compare two high-profile cases of misplaced equipment, and how encryption completely changed the outcome of these events.
In 2007, the head of HM Revenue and Customs (HMRC) was forced to resign after discs containing the bank account numbers, names, addresses, and National Insurance numbers of 25 million Britons was “lost in the post.” This data was not encrypted, which put nearly half of the UK’s entire population at risk of financial fraud.
“If evidence emerges that the data fell into criminal hands, the UK banks may be forced to close the 15 million accounts and issue new ones at an enormous cost to them and a major inconvenience for their customers,” warned Avivah Litan, vice president at Gartner Research.
Ultimately, no evidence emerged that the discs had fallen into the wrong hands, although victims of the breach were warned to carefully monitor their bank accounts, and the breach resulted in the resignation of HMRC chairman Paul Gray. Shadow chancellor George Osborne has also gone on record to state that this event was the “final blow for the ambitions of this government to create a national ID database” as “they simply cannot be trusted with people’s personal information”.
When equipment is lost, encryption can significantly reduce the damage to your company’s reputation, and minimize the legal and financial fallout. The value of encryption is perfectly illustrated by another high-profile data breach, where a member of the public took a recently-purchased second hand laptop in for a service, only for computer repair staff to discover a confidential Home Office disc inside the laptop.
While this event did make the headlines, the breach could have been much worse: all the data on the disc was encrypted, and was therefore protected against unauthorized access.
By opting for technology that offers complete volume encryption, file encryption, and mailbox encryption, you can be confident that even if a third party does gain physical access to misplaced equipment, they’ll be unable to access your data.
3. Implement Mobile Device Management policies
When a device containing confidential company data goes missing, it’s crucial that you secure that device as quickly as possible.
Even with corporate policies in place, your employees may not realise their device is missing until it’s too late. In 2000, a secret service official famously mislaid an MI6 laptop following a drinking session at a London tapas bar, and didn’t realise their laptop was missing until the next day – plenty of time for a malicious third party to access MI6 secrets!
Why wait for your employees to realize their device is missing, when you can use technology to detect suspicious activity and then automatically lock or wipe their device for them?
Office 365’s Mobile Device Management (MDM) provides exactly this functionality, allowing you to create policies that wipe confidential company data from a device following multiple failed sign-in attempts – potentially, your sensitive data could be deleted before the device’s owner even realises it’s missing.
You can also use MDM to enforce security standards that all employees must meet before they can access corporate data and applications on their devices, for example you might create a rule that checks a device is encrypted before permitting access to sensitive data.
For a more in-depth look at Mobile Device Management, check out our 6 ways to keep your corporate data safe.
4. Go beyond a PIN or password-based security system
Based on the results of an online survey, Vision Critical estimate that almost 10 million devices are unprotected – and all of these devices have access to corporate data.
Even advanced security software such as Mobile Device Management will have little effect if a third party can unlock one of your employee’s devices simply by swiping right!
If your employees access any corporate data on their mobile devices, then as a minimum these devices must be protected by a complex, secure and unique password or PIN. However, at Systems Assurance we believe that password or PIN-based security systems cannot offer businesses the level of protection they need, and we advise all our customers to implement Multi-Factor Authentication (MFA).
By implementing MFA across your entire organization, you can ensure that even if a third party does manage to get their hands on a misplaced device and password, they’ll still need to pass at least one additional security check, such as answering a phone call or completing biometric authentication.
Ready to learn more about MFA? Then check out BYOB is putting your business at risk.
5. Provide employees with secure, sanctioned applications
If you don’t provide your employees with the mobile apps required to complete their work successfully, then they’ll be tempted to use alternative apps, and there’s no guarantee these applications will be secure!
Research from Positive Technologies found that around 76% of mobile applications store data insecurely. If an employee has one or more insecure apps installed on their device, then this is a potential vulnerability that a third party could use to gain access to that device – and all of your corporate data.
To reduce the chances of your employees resorting to insecure apps, it’s essential that you provide them with easy access to secure, enterprise-grade applications. At Systems Assurance, we believe that a complete, integrated productivity suite such as Office 365 is the most effective way to ensure your employees have access to all the features they need, while also delivering the highest level of security.
Want to learn more about how Office 365 can help protect your corporate data, even in the worst case scenario where an employee’s mobile device is lost or stolen? To help organizations choose the software that’s right for them, we offer free, no-obligation appointments with our team of specialist engineers, who’d be happy to talk through your unique requirements.
Claim Your One Month FREE Trial of Microsoft 365 E5 Today.
Speak to a member of our team today 0114 292 2911 or email firstname.lastname@example.org if you need any assistance.
Share this article on social media
If you found this article useful, please share it on social media.
Subscribe to our blog…
We will only use your email to send you new blog posts.