Data security: the top threat facing enterprises today

Mobile devices are ubiquitous and are enabling enterprises to be more productive and efficient than ever before. But they also pose a great threat to the data security of companies, as devices have access to sensitive information such as business plans, intellectual property and personal information. Enterprises have good reason to be concerned.

According to a recent survey conducted by IDG Enterprise, a whopping 63% of enterprises surveyed, listed security as their top concern.

The biggest challenges with regard to ensuring and maintaining security of mobile data are:

* Data leak prevention (52%);
* Intrusion detection/prevention (48%);
* Managing access to data (48%); and
* Preventing data loss due to lost mobile devices (47%).

With so many threats to mobile security, it is understandable why many companies have been affected by data breaches. In a report commissioned by the security firm Lookout, almost three-quarters (74%) of the major firms surveyed said that they had suffered a mobile breach. It is therefore no surprise that the ability to meet security requirements is now a critical factor when evaluating possible mobile vendors.

Vulnerabilities of mobile devices

According to the Lookout report, the most common issues encountered by companies in the past were:

* Mobile apps that contained security vulnerabilities;
* Apps containing malware; and
* Unsecured WiFi connections.

A common cause of data breaches is the installation of malware. Phones are now more likely to be hacked than ever before, and if malware is opened, corporate data is exposed via the device. Malware can spread when employees download games, click on untrusted links or connect to free WiFi.

Device loss and theft is another cause for concern. Working remotely can greatly increase employees' productivity. Some enterprises issue employees with company devices, while others employ a Bring Your Own Device (BYOD) policy. BYOD policies not only save companies money, but they can also increase employee satisfaction, as employees sometimes prefer to work on their own mobile devices rather than on company-issued devices. BYOD also lowers the strain on IT departments as the responsibility for maintenance and upkeep lies with the employee. And the likelihood of employees working after hours also increases.

But putting devices into the hands of employees increases the risk of loss and theft, which can lead to a breach in security. Whether devices are company-owned or BYOD, they should be treated in the same way, from a security perspective, as desktop computers.

According to Forbes, enterprise IT departments still devote almost three quarters of their security resources to perimeter controls, and this is no longer the right balance. "People, devices, and data are the new perimeter," said Naresh Persaud, senior director of Oracle's security product marketing.

Mobile devices are more vulnerable and enterprises should apply security measures at device level, application level, and data level.

Alarming state of mobile insecurity

Nearly 40% of large companies, including many Fortune 500 companies, aren't taking the right precautions to secure the mobile apps that they build for customers. According to a study by IBM Security and the Ponemon Institute, organisations are poorly protecting their corporate and BYOD mobile devices against cyber attacks - and this opens the door for hackers to easily access user, corporate and customer data.

With a growing security threat, it is very concerning that so few companies conduct proper testing on apps that they build. The Ponemon Institute and IBM Security study looked at the security practices at over 400 large organisations and found that the average company tests less than half of the mobile apps that they build. Also, 33% of companies never test apps and 50% of organisations devote no budget towards mobile security. Companies spend more money after data is stolen then they are spending to secure data in the first place.

Among organisations surveyed, an average of $34 million was spent annually on mobile app development, but only 5.5% of this budget is being allocated to securing apps against cyber attacks before making them available to users.

According to IBM X-Force research, in 2014 alone, over 1 billion pieces of personally identifiable information were compromised as a result of cyber attacks.

Given the growing data security threat and the alarming state of mobile insecurity, it is no surprise that companies will be stepping up their investments in mobile security infrastructure over the next year.

Security best practices

There are many steps that enterprises can take to secure their data. When choosing a hosting solution, enterprises should choose a provider with world-class security measures and certifications for infrastructure-level security.

All cloud servers should have protections and access controls built in to ensure that no unauthorised access to data can occur. Data should be backed up at least daily, encrypted and stored off-site in a secure data centre.

Enterprises should also think carefully about who will have access to their data. Access and security policies for staff performing maintenance on infrastructure should conform with the highest industry security standards. Hosting solutions should make use of audit trails so that any data modifications are recorded and can be retraced.

Furthermore, servers should be equipped with firewalls to restrict network access, and they should be penetration-tested. Operating system upgrades, patches and infrastructure software updates should be applied on a regular basis.

Lastly, all communication between mobile devices and servers should occur over a Transport Layer Security (TLS) encrypted channel and data should be protected in various states: At rest in the cloud, on the device, as well as in transit.

What if a device is lost or stolen?

One of the weakest links in the security chain is still the user. Luckily there are various ways to secure data if a device is lost or stolen, to ensure that unauthorised people don't get access to sensitive company information.

Enterprises can configure operating system level security settings on mobile devices. This includes requiring a user to authenticate using a PIN code every time when the screen is unlocked, as well as wiping the device if a predefined number of incorrect PIN attempts are made. The entire file system can also be encrypted to make sure that unauthorised users don't get access.

Further recommendations

Enterprises can also use third party Mobile Application Management (MAM) or Mobile Device Management (MDM) services, or Dual Personas, to further increase security.

MDM is used to ensure that employees do not breach corporate policies and can apply virtual geographic limits for devices. This includes monitoring capabilities that allow enterprises to track and report on information about mobile devices across the enterprise - of both company-owned and BYOD devices. It also allows enterprises to remotely wipe data or locate devices.

MAM enables IT administrators to distribute, update and manage secure applications, as well as configure apps and provision users.

MDM and MAM solutions should install malware protection on the device that scans for viruses and quarantines affected applications and files on devices.

If companies do enforce a BYOD policy, they can use a Dual Persona Approach. This means on one device there can be a work persona for all work-related tools and communications, and a separate one for personal communication. Organisations can secure work-related content and comply with security policies, and also remotely wipe only work-related content. By doing this, the organisation respects the employee's privacy and can even create separate phone numbers for work and personal use.

Looking forward

Mobile devices are rapidly becoming productivity tools and have access to large amounts of enterprise data, and it could be catastrophic for a business if security is compromised. Various threats and vulnerabilities are appearing daily. Maintaining appropriate levels of data security will remain one of the biggest challenges for enterprises in the future.

To find out how JourneyApps protects your data, download their free white paper. To learn more about what JourneyApps does, visit www.journeyapps.com