Tag Archives: Bring Your Own Device

70% of financial companies suffer cyber security incident in last 12 months

New research conducted by data security company Clearswift reveals that 70% of financial companies have experienced a cyber security incident in the past year, highlighting the serious threat that both data breaches and malicious attacks pose to the UK’s financial sector.

The research, which surveyed senior business decision-makers within enterprise financial organisations in the UK, found that almost half of the incidents reported over the past 12 months originated from employees failing to follow security protocol or data protection policies. This threat was biggest in mid-sized financial companies (with 3,000-4,999 employees) with 52% of respondents citing employee failure to follow corporate data protection policies as their biggest issue.

In addition to this, it was found that further causes of cyber security incidents within the financial sector included the introduction of malware and viruses via third party devices, including USBs and Bring Your Own Device (32%), file and image downloads (25%) and employees sharing data with unintended recipients (24%).

UKFinanceCyber

“The financial sector is the lynchpin of the UK’s economy and a vital part of our nation’s Critical National Infrastructure, so it’s alarming to see such high numbers of security incidents within financial organisations,” said Dr Guy Bunker, CTO at Clearswift. “Unfortunately, in this day and age it’s a case of ‘when’ not ‘if’ a firm is breached so the financial sector needs to shift gears and speed up the innovation and deployment of effective data protection and threat mitigation strategies.”

The numbers associated with security incidents are in stark contrast with further findings from the survey which revealed less than a quarter (23%) of respondents had an adequate level of budget allocated to cyber security within the firm. Unsurprisingly, 73% of respondents would like to see some – if not a significant – increase in their organisation’s cyber security spending.

Bunker added: “Whether it’s an inadvertent mistake, a malicious insider or an external threat actor that causes a security incident, the ramifications of data loss are extremely serious for any organisation. For those organisations who hold citizen data and their financial information, there’s a need for extra vigilance to protect that data no matter where it’s stored, how it’s processed or what digital collaboration channels it flows through. Understanding the latest threats and the potential consequences from next generation attacks will help drive the business case for investment in new technology to mitigate the risks.”

He continued: “Cyber security needs to rapidly evolve and the budgeting process should take this into account. The threat which can bring down a company may not have existed three months ago. Financial organisations need to be able to respond immediately in order to protect their reputation. While many areas of securing a company’s data can be improved by educating employees and developing clear policies and processes, technology plays a key role in mitigating today’s biggest threats through automating and enforcing security protocols. This requires investment. Great information security is a positive business differentiator and a driver of growth.”

Advertisements

Leave a comment

Filed under Risk Xtra

95% of UK businesses “still struggling” with mobile working as security of data continues to cause concern

Apricorn – the manufacturer of software-free, 256-bit AES XTS hardware-encrypted USB drives – has unveiled new research results highlighting that 95% of organisations surveyed in the UK recognise problems with mobile and remote working. Worryingly, nearly one-in-five (18%) suggest that their mobile workers don’t care about security.

All (ie 100%) of those IT decision-makers surveyed noted that they had employees who work remotely at least some of the time, with an average of over one third (37%) of staff members who do so. With an increase in the numbers of people working remotely, this means more data moving beyond the confines of the corporate network. Organisations need to ensure that any data – be it at rest or on the move – remains secure.

While many are taking steps to ensure their data is protected, for instance by implementing security policies for mobile working and Bring Your Own Device, just under half of respondents (44%) still agree that their organisation expects their mobile workers to expose them to the risk of a breach. Roughly one third (32%) say that their organisation has already experienced a data loss or breach as a direct result of mobile working, while 30% of respondents from organisations where the General Data Protection Regulation (GDPR) applies are concerned that mobile working is an area that will most likely cause them to be non-compliant.

MobileWorkingSecurity

53% cited that one of their Top Three biggest problems with remote working is due to the complexity and management of the technology that employees need and use. Over half (54%) say that, while their organisation’s mobile workers are willing to comply with requests relating to security measures, employees lack the necessary skills or technologies required to keep data safe. Nearly one third (29%) take the radical approach of physically blocking all removable media, while a further 22% ask employees not to use removable media (although they have no technology means by which to enforce this).

“The number of organisations blocking removable media has increased compared with responses to the same question in 2017, when 18% said they were physically blocking all removable devices,” said Jon Fielding, managing director for the EMEA at Apricorn. “A unilateral ban isn’t the solution and ignores the problem altogether, while also presenting a barrier to effective working. Instead, businesses should identify corporately approved, hardware-encrypted devices that are only provided to staff with a justified business case for having such. The approved devices should then be white-listed on the IT infrastructure, blocking access to all non-approved media.”

Risk of data breaches

Despite strict security policies, mobile working can still leave organisations wide open to the risk of a data breach. Half (50%) of respondents admitted one of the three biggest problems with mobile working is that they cannot be certain their data is adequately secured. Only around half enforce and are completely confident in their encrypted data in transit (52%), in the cloud (52%) and at rest (51%).

“While the new GDPR legislation requires the ‘Pseudonymisation’ and encryption of personal data, encryption isn’t a new concept, and keeping data secure has always been imperative to any organisation handling sensitive information,” added Fielding.

In conclusion, Fielding stated: “Organisations are simply not following security Best Practice. They need to implement and enforce policies and provide employee training to ensure compliance with the GDPR. Failing to put processes in place is putting confidential data at risk. Organisations now face the prospect of being fined even before a breach has occurred.”

Leave a comment

Filed under Risk Xtra

Employees cost UK businesses £130,000 per annum in lost productivity managing passwords

According to new research conducted by Centrify Corporation (a leader in unified identity management across data centre, cloud and mobile platforms), poor password habits are not only placing employers at risk but also losing them hundreds of thousands of pounds in lost productivity every year.

The survey of 1,000 UK workers highlights that the average employee wastes £2611 each year in company time on trying to manage multiple passwords. For an organisation with 500 staff on the payroll, that equates to a loss of more than £130,000 every 12 months.

“In our new digital lifestyles, which see a blurring of the lines between our personal and professional lives, we’re constantly having to juggle multiple passwords for everything from e-mail and mobile apps through to online shopping and social media,” explained Barry Scott, CTO (EMEA) for Centrify.

“According to the results of our extensive survey, over a quarter of us now enter a password online more than ten times each day, which could equate to 3,500 to 4,000 times every year. This is becoming a real challenge for employers who need to manage security and privacy concerns, and also for employees who are costing their companies both time and money.”

While around half (47%) of those employees questioned use their personal mobile devices for business purposes, one-in-three (34%) admit they don’t actually use passwords on these devices even though they keep office e-mail, confidential documents, customer contact information and budget details on them.

Centrify's Infographic on Passwords

Centrify’s Infographic on Passwords

High on many people’s list of ‘most annoying things’, it seems that passwords are becoming the cause of major headaches. Centrify’s study reveals that forgetting a password for an online account is more annoying for individuals than misplacing their keys (39% of respondents), a mobile phone battery ceasing to work (37%) or receiving spam e-mail (31%).

One-in-six (16%) of respondents would rather sit next to someone talking loudly on their mobile phone, 13% would rather spend an hour on a customer service line and 12% would prefer to sit next to a crying baby on a flight than have to manage all of their passwords.

Multiple incorrect password entries

The Centrify research also shows:
• More than one-in-three (38%) employees have accounts they cannot access any more because they cannot remember the passwords
• 28% are locked out at least once a month due to multiple incorrect password entries
• One-in-five employees change their passwords at least once a month while 8% change them every week
• Most have little faith in password security – just 15% believe their passwords are ‘very secure’

With nearly half (42%) of respondents creating at least one new account profile every week – more than 50 per annum, in fact – the problems around password management will only worsen. In fact, 14% of employees quizzed believe they will have 100-plus passwords to deal with in the next five years.

Despite this, it’s believed that many employees already seriously underestimate the number of account profiles they have online, with nearly half (47%) believing they have just five profiles – although a quarter admit they harbour 21 or more.

Andy Kellett at analyst OVUM added: “When it comes to providing safe access to what should be highly secure business systems, the password model is no longer fit for purpose. It remains the primary security tool for businesses in environments where other authentication options should be considered. We used to go to work and stay in one place. Now we are just as likely to be working from a remote office, on the train or at home and simple passwords are neither robust nor secure enough to support secure remote access.”

Kellett added: “With today’s workforce also using social media and flexible remote tools and applications, we need to empower them to do this by allowing them to have more ownership of their identities and incorporate better, more balanced security measures that also improve productivity.”

Top 5 bad password practices

When asked what they do in order to remember their passwords, survey respondents stated that they:
(1) Always use the same password whenever possible
(2) Rotate through a variety of similar passwords
(3) Keep a written password in a master book of passwords
(4) Use personal information in a password
(5) Avoid using complicated symbols or combining upper and lower case

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Barry Scott: Chief Technology Officer (EMEA) at Centrify

Top 5 password tips

To help employers, Centrify has complied a list of top tips on effective password management:

• Educate staff about using passwords – make it a key part of your corporate security policy
• Make it easier for employees to work anywhere, any time by using technology that offers single sign-on capabilities (ie one click to access all of their work accounts and applications)
• With some mobile phones now providing both identity and access management capabilities, incorporate them as part of your BYOD (Bring Your Own Device) policy
• Create one profile for any corporate log-ins and then have privileges for individual employees within the one profile. Anyone who leaves the company can be removed automatically
• Think about replacing passwords with something much more intuitive like pass phrases.

The Widmeyer survey was developed to assess people’s engagement with – and their perception of – passswords in order to determine their efficacy in the workplace. The survey was completed in September 2014 with more than 1,000 participants in the UK and 1,000 in North America. Results were similar across both regions. The final results can be found at: http://www.centrify.com/Password-Survey

Reference

1Figure calculated by taking an average of the hourly rate of personal income from one’s job multiplied by the amount of time spent dealing with password management

Leave a comment

Filed under Risk UK News

Hidden Security Dangers of the BYOD Phenomenon

Amir Lehr – vice-president of cellular products and business development at Cellebrite – discusses the business repercussions of sensitive data not being wiped from old mobile phones.

The thought of losing our mobile phone fills many of us with dread and fear. After all, we run our entire lives from these pocket devices.

Gone are the days of using our mobile phones exclusively for making calls, sending text messages and light Internet surfing. Now we keep all our personal information on them including text messages, contacts, e-mails, photographs and videos, birthdays, identification data and so much more.

To find that you’ve forever lost a sentimental text message from your husband or an old photograph of your grandmother would be devastating enough, but what if your mobile phone held valuable information belonging to the company you work for?

With many employees now owning an exclusively work mobile phone and others holding business information on their personal phones, their devices could hold anything including usernames, passwords, financial information and highly confidential data.

So now the devastation doesn’t just affect the individual, but the entire business.

While mobile phone security during use is important, it's imperative to see security right through to the end

While mobile phone security during use is important, it’s imperative to see security right through to the end

Bring Your Own Device: the risk factors

Bring Your Own Device (or BYOD) policies may allow employees to bring personally owned mobile devices (laptops, tablets and smart phones) to their workplace and use those devices to access company information. This phenomenon has taken the world by storm but, by using private smartphones alongside professional handsets (and especially as the refreshment cycle for consumer handsets is more rapid than work devices), this brings even more danger. Precautions must be taken at all stages.

As current developments indicate, our mobile phones could soon be used to control everything we do – from giving us access to our home, car, medical and financial records to being a communications hub for e-mail accounts, surfing the Internet and managing social media profiles. The potential for the business world is enormous, but with that comes an equally enormous level of risk.

Security breaches are commonplace these days and employees must do all they can to ensure they are not making such an incident easy, as many often overlook how much risk their mobile phone carries.

There are two main scenarios in which specific precautions need to be taken.

One sees the mobile phone being sent to a laboratory or workshop for critical repairs. Once the phone is out of its owner’s hands, it’s difficult to protect the data it contains.

The other is when a phone is traded-in for a newer model while the old phone – and all of its content – is left with the store or recycler.

In fact, research has found that between 54% and 60% of discarded or traded-in used mobile phones still contain the personal data of their previous owners.

One overlook can risk a whole business and, with all this highly sensitive information at stake, employers and employees alike should be advocating the need to protect themselves and company information from risk.

Many may be reassured by the fact that resetting the phone would dispose of some information. In fact, unless expert equipment is used, no deletion is permanent.

While mobile phone security during use is important, it’s imperative to see security right through to the end. Information will still remain on the phone even if you’re not using it unless it’s correctly wiped.

Leave a comment

Filed under IFSECGlobal.com News