Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Mobile device

Is the concern for data protection making half of all employees less productive?

In 2010, the Visual Data Breach Risk Assessment Study revealed that two out of three working professionals are displaying sensitive information on their mobile devices, such as social security numbers, credit card numbers and other non-regulated but sensitive company information, when outside the office. This points to the insight that in certain circumstances people value productivity over data protection when working. However, in circumstances when an individual values data protection, is the company potentially losing productivity due to visual privacy concerns?

The 2013 Visual Privacy Productivity Study, conducted by The Ponemon Institute, revealed that companies can lose more than data as remote working increases, with 50% of employees answering that they are less productive when their visual privacy is at risk in public places.

The Visual Privacy Productivity Study showed that employees are forced to either trade-off working and risking private data being overlooked by nosy neighbours, or stop working altogether. Based on these findings, lost productivity due to employee visual privacy concerns is potentially costing a US business organisation with more than 7,500 people over $1 million dollars per year.

While many companies realise that snooping and visual privacy presents a potential data security issue, there has been little research regarding how the lack of visual privacy impacts a business’ bottom line,” says Larry Ponemon, Chairman and Founder of The Ponemon Institute. “As workers become more mobile and continue to work in settings where there is the potential for visual privacy concerns, companies need to find solutions to address productivity as it relates to computer visual privacy in addition to dealing with the fundamental security issues of mobile devices

The study of 274 US individuals from 5 organisations in a variety of sectors. More than half stated that their visual privacy had been violated whilst travelling or in other public places such as cafes, airports and hotels, and two out of three admitted to exposing sensitive data on mobile devices whilst outside the workplace. When asked how their organisation handles the protection of sensitive information in a public location, 47% did not think any importance was put on this and that no adequate policies were in place.

Other interesting findings include:

  • Employees are 50% less productive when their visual privacy is at risk and lost productivity costs an organisation approximately £350 per employee per year
  • Visual privacy impacts on transparency as users that value privacy are less likely to enter information on an unprotected screen.
  • Women value privacy more (61%) than men (50%), and women’s productivity is more positively impacted than men’s when the screen is protected with a privacy filter.
  • Older employees value privacy more, with 61% of over 35s compared to 51% of under 35s placing importance on privacy.

Productivity loss is a major discovery in this survey and will hopefully encourage companies across all sectors to consider employee working practices and behaviours,” said Rob Green, Marketing Executive at 3M’s Speciality Display & Projection Division

According to the survey the devices used for work-related activities were:-

  • Smartphone 65%
  • Laptop computer 65%
  • Desktop computer 45%
  • Tablet computer 29%
  • Netbook computer 14%
  • Other 2%

The 2010 Visual Data Breach Risk Assessment survey revealed that visual privacy on computer screens was an under-addressed area in corporate policy. Seventy percent of working professionals said their organization had no explicit policy on working in public places and 79% said that their company had no policy on the use of computer privacy filters.

The 2012 Visual Privacy Productivity Study reinforced these findings with

  • 47% of those surveyed saying they were unsure or did not think their company placed an importance on protecting sensitive information displayed on a screen in public places
  • 58% were unsure or did not think other employees were careful about protecting sensitive information on computer or mobile device screens in public places. Corporate policy and education on that policy continues to be areas for improvement as it relates to visual privacy.

The full study is very informative about how the sponsor’s (3M) privacy filters can improve productivity and reduce risk and can be read here.

.

Advertisements

The drivers for BYOD

In the recent F5 document promoting their BYOD solutions F5 had an interesting section on what were the drivers for BYOD.

The F5 “BYOD Drivers” section is below.

In 2013, the mobile workforce is expected to increase to 1.2 billion, a figure that will represent about 35% of the worldwide workforce and many of those workers will be using their own devices.

People have become very attached to their mobile devices. They customize them, surf the web, play games, watch movies, shop, and often simply manage life with these always-connected devices. Those organizations that have implemented BYOD programs are reporting increased productivity and employee satisfaction at work.

The 2012 Mobile Workforce Report from enterprise Wi-Fi access firm iPass found that many employees are working up to 20 additional hours per week, unpaid, as a result of their company’s BYOD policies. Nonetheless, 92% of mobile workers said they “enjoy their job flexibility” and are “content” with working longer hours.

In addition, 42% would like “even greater flexibility for their working practices.”

Organizations have been able to reduce some of their overall mobile expenses simply by not having a capital expenditure for mobile devices and avoiding the monthly service that come with each device. In addition, in some cases, BYOD implementations can brand the IT organization as innovators.

The flipside of the convenience and flexibility of BYOD are the many concerns about the risks introduced to the corporate infrastructure when allowing unmanaged and potentially unsecured personal devices access to sensitive, proprietary information. Applying security across different devices from a multiple number of vendors and running different platforms is becoming increasingly difficult. Organizations need dynamic policy enforcement to govern the way they now lock down data and applications. As with laptops, if an employee logs in to the corporate data centre from a compromised mobile device harbouring rootkits, keyloggers, or other forms of malware, then that employee becomes as much of a risk as a hacker with direct access to the corporate data centre.

Mobile IT is a major transformation for IT departments that is deeply affecting every major industry vertical, and the effects will continue for years to come.

F5 data sources:

  • International Data Corporation (IDC), Worldwide Mobile Enterprise Management Software 2012-2016 Forecast and Analysis and 2011 Vendor Shares, Sept. 2012
  • Computerworld UK, “BYOD Makes Employees Work Extra 20 Hours Unpaid,” August 22, 2012

PCI Security Standards Council releases best practices for mobile software developers

During this week’s PCI SSC US Community meeting a demonstration of a Mobile attack highlighted the need for more secure development practices in the mobile payments space.

The demonstration coincided and supported the release of the new guidelines the PCI Mobile Payment Acceptance Security Guidelines which offer software developers and mobile device manufacturer’s guidance on designing appropriate security controls to provide solutions for merchants to accept mobile payments securely.

The demonstration of the top mobile attacks was done by Nicholas J. Percoco, senior vice president of Trustwave’s SpiderLabs, and showed the threats to the security of payments over mobile acceptance devices, including malware and rootkits, jailbreaking vulnerabilities and SSL-man-in-the-middle attacks.

It is important that a best practice guide be developed, by the industry, to educate mobile app developers on methods of securing commerce transactions and risks of not doing so.” said Percoco.

The PCI SSC formed an industry taskforce in 2010 as part of a dedicated effort to address mobile payment acceptance security. Since then, the Council has released guidance on how merchants can apply its current standards to mobile payment acceptance by addressing mobile applications with the Payment Application Data Security Standard (PA-DSS), and leveraging the PIN Transaction Security (PTS) and Point-to-Point Encryption (P2PE) standards to accept payments on mobile devices more securely.

The guidance for developers is the next piece of the Council’s work in this area. The document organizes the mobile payment-acceptance security guidance into two categories: best practices to secure the payment transaction itself, which addresses cardholder data as it is entered, stored and processed using mobile devices; and guidelines for securing the supporting environment, which addresses security measures essential to the integrity of the broader mobile application platform environment.

Key recommendations include:

  • Isolate sensitive functions and data in trusted environments
  • Implement secure coding best practices
  • Eliminate unnecessary third-party access and privilege escalation
  • Create the ability to remotely disable payment applications
  • Create server-side controls and report unauthorized access

“Applications are going to market so quickly – anyone can design their own app today that can be used to accept payments tomorrow,” said PCI SSC Chief Technology Officer Troy Leach in his presentation to PCI CM attendees. “It’s our hope that in educating this new group of developers, as well as device vendors on what they can do to build security into their design process, that we’ll start to see the market drive more secure options for merchants to protect their customers’ data.”

The council has announced that in 2013 they will be releasing further guidance for merchants to help them leverage mobile payment acceptance securely, while continuing to collaborate with industry subject matter experts to explore how card data security can be addressed in an evolving mobile acceptance environment, and whether additional guidance or requirements must be developed.

.

How to Secure Mobile Devices

Drew Robb in his article ” How to Secure Mobile Devices” has created an excellent guide to thinking about the security of mobile devices, not just for consumers but for the enterprise.

The article is recreated below:

“More and more frequently, employees are linked to sensitive data via a number of different devices, providers, and operating systems,” said Will Hedrich, a security architect at CDW-G. “If laptops, tablets, and smartphones are left unattended for even a few minutes, you are at risk.”

Anyone can download an application for $50 to $150, for example, that will allow them to listen to phone conversations, listen to anything around that phone even when it’s not on a call, view the camera, swipe files from the phone, or access the corporate network. They can download, view, or listen to this information wirelessly using the phone’s public IP address, Bluetooth or Wi-Fi. After the program is downloaded on to it, the person would never know it is on his or her phone.

Recently, for example, an employee of a large enterprise left a smartphone in the car while shopping. The phone, which was stolen, contained the social security numbers and other personal information of company employees. Because the phone was not equipped with any security measures, the information was easily accessed.

Most company employees do not even have basic firewall or password protections on their phones, so they are risking this kind of data loss on a regular basis.

The financial consequences can be severe. The government fines companies $204 or more per piece of personal information leaked, such as a social security number, credit card information, and other personally identifiable information (PII) or payment card industry (PCI) compliance information.

“It is important to have a mobile management security strategy in place to prevent data loss and malicious attacks,” said Hedrich. “The strategy should extend to devices, the data center, and cellular carriers.”

He added that a comprehensive solution for locking down the mobile workforce did not exist until recently. Such solutions, now becoming available from a variety of vendors, should encompass a four-pronged approach.

Physical security

Devices accessing the network need data encryption and multi-factor authentication, which includes a user name, password, and a series ofPINnumbers, such as a four digit personalPINand a six digit code that is generated automatically and changes every minute. Device certificates are also important.

Content security

If appropriate security protocols are in place, anyone trying to access information via the public IP address of an encrypted device will find that the information is completely scrambled. A combination of anti-malware, content filtering, encryption, data loss prevention (DLP) software, and intrusion prevention software installed on all devices will prevent unauthorized access to data.

“If a phone, tablet, or other device falls into the wrong hands, you want to be sure that data on it cannot be accessed,” said Hedrich. “Data encryption and multi-factor authentication are crucial to ensuring that only the authorized user can access the information on the device.”

Device management

Organizations should also set access levels and permissions for each person or group on the network, such as legal, marketing, IT, etc. These access policies control the data they can access via their devices and the functions they can perform remotely.

“Centralized device management allows IT to update access rights as well as roll out updates to operating systems and applications from one central console,” said Hedrich. “And, if a device is lost or stolen, the IT manager can wipe the device remotely to prevent data loss.”

.

Serious Disconnect Between Businesses and Mobile Users

Image representing McAfee as depicted in Crunc...
Image via CrunchBase

McAfee have released their report “Mobility and Security: Dazzling Opportunities, Profound Challenges”.

“Devices are no longer just consumer devices or business devices. They are both,” said Richard Power, a CyLab Distinguished Fellow at Carnegie Mellon University, the primary author of the report. “Devices are more than extensions of the computing structure, they are extensions of the user. The way users interact with their personal data mirrors the way they want to interact with corporate data.”

Key Report Findings:

  • Reliance on mobile devices is already significant and accelerating rapidly; the emerging mobile environment is both diverse and freewheeling
  • IT is becoming increasingly consumerized as evidenced by the fact that 63 percent of devices on the network are also used for personal activities.
  • Lost and stolen mobile devices are seen as the greatest security concern for IT professionals and end-users – Four in 10 organizations have had mobile devices lost or stolen and half of lost/stolen devices contain business critical data. More than a third of mobile device losses have had a financial impact on the organization and two-thirds of companies that had mobile devices lost/stolen have increased their device security after this loss.
  • Risky behaviors and weak security postures are commonplace – Although the need for mitigating mobile security risks and threats is acknowledged, fewer than half of device users back up their mobile data more frequently than on a weekly basis. Around half of device users keep passwords, pin codes or credit card details on their mobile devices. One in three users keeps sensitive work-related information on their mobile devices.
  • There is a serious disconnect between the policy and reality – 95 percent of organizations have policies in place in regard to mobile devices
  • Mobile devices are being used by much of the workforce, over extended periods of time, for a significant percentage of tasks previously conducted on desktops.
  • On average, employees use mobile devices for work purposes between 2 and 4.5 hours a day. On average, use of laptops was 4.5 hours per day.

Mobile devices are used in a wide range of job functions

  • Business executives using them most – 56%
  • Sales and others in the mobile workforce – 47%

Mobile phone usage

  • Email – 93%
  • Contacts – 77%
  • Web access – 75%
  • Calendaring – 72%

Four different types of mobile devices are used by at least one-third of employees both for professional and personal use,

  • Laptops – 72%
  • Smartphones – 48%
  • Removable media, including USBs – 46%
  • External hard drive – 33%

Almost Half of Users Keep Sensitive Data on Mobile Devices

  Passwords/Pin Codes Credit Card details
Professional & personal information & data 23% 19%
Only professional information & data 11% 7%
Only personal information & data 17% 15%
I do not use, store or send this information or data using mobile devices 49% 58%

Recommendations for Businesses

  • Mobility is ushering a new computing paradigm into the workplace. With devices eclipsing PCs and virtually every business application being device-ready, mobile computing offers an opportunity to make workers more productive, competitive, and happy. Mobility done right is a major competitive advantage in the workplace.
  • Consumerization of IT is here to stay. Many smart companies are allowing, encouraging, and, in some cases, providing a stipend for,  employee owned technology to work. Businesses need to find ways to enable, secure, and manage employee-owned technology in an optimal way to drive cost savings.
  • Users are changing the way they think about policies. Because employee-owned devices are artifacts of the more entrepreneurial employee-employer relationship, organizations need to apply policies in a nuanced, risk-based way that depends on the industry, the role, and the situational context.
  • Data loss and leakage are of utmost concern to individuals and enterprises, and there is no silver bullet. Classify data, even at a high level, and apply data leakage processes and mechanisms in order to protect corporate data while respecting users’ privacy.
  • User awareness about mobile threats is still nascent. Apply security and management paradigms from laptops and desktops to mobile devices. Educate users about the risks and threats through employee agreements and training. “Businesses must find ways to protect corporate data, and call it back when an employee leaves, while ensuring the privacy of the employee,” says David Goldschlag, vice president of Mobility for McAfee. “Employees are no longer lifelong members of the organization, but rather consumers, who often change jobs every few years. When they do, they come with a kit of stuff, but once they leave, they need to give you back the data that belongs to the company. Businesses need a way to facilitate that process while respecting the ‘kit’ that the employee brings to the company.”

Recommendations for Mobile Users

  • You are part of a computing sea of change. With devices eclipsing PCs, and virtually every app device-ready, mobile computing offers you an opportunity to be entertained, informed and connected wherever you are. Use this to your advantage to be more productive on the go.
  • Driven by users’ desire for device choice and employers’ need for cost savings, individuals are increasingly bringing their own devices to work. Take advantage of your employers’ program and use your technology to be more nimble in your work.
  • Familiarize yourself with your employer’s mobile device policy and the intent behind it, and decide whether it fits your needs. If so, accept the policy and move on; if not, use two devices, one for personal use and one for work.
  • Take steps to secure your device. Install anti-theft technology, and back up your data. Configure your device to auto-lock after a period of time. Don’t store data you can’t afford to lose or have others access on an insecure device.
  • Be aware of mobile device threats. In many ways, they are the same as in the online world. You can be hacked, infected, or phished on a mobile device just as easily (and often more easily) as you can online.

The McAfee White Paper can be found here http://www.mcafee.com/us/about/news/2011/q2/20110523-01.aspx

.

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: