Employees using their own mobile devices for work leaves systems open to security risks, according to new research.
The preliminary findings of the 2012 Information Security Breaches Survey (ISBS) found that 75 per cent of large organisations (and 61 per cent of small businesses) allow staff to use smartphones and tablets to connect to their corporate systems.
However only 39 per cent (24 per cent of small businesses) apply data encryption on the devices.
A substantial 82 per cent of large organisations (and 45 per cent of small businesses) reported security breaches caused by staff and 47 per cent (20 per cent of small businesses) lost or leaked confidential information, showing this is not a threat they can ignore.
“With the explosion of new mobile devices and the blurring of lines between work and personal life, organisations are opening their systems up to massive risk,” said Chris Potter, PwC information security partner
“Smart phones and tablet computers are often lost or stolen, with any data on them exposed.
“However, organisations aren’t responding to these new challenges.
“Just as we saw a decade ago with computer viruses, companies are slow to adjust their controls as technology usage changes.
“It’s clear how important smart phones and tablets have become - as confidential data is increasingly stored on them, the chance of data breaches increases.”
The results of the study, written by PwC in conjunction with Infosecurity Europe and supported by the Department for Business, Innovation and Skills, will be revealed in full at Infosecurity Europe next week.
PWC says that personalisation is creating new security threats, from both malicious software and data loss, the survey shows, and organisations that allow personally owned devices tend to have weaker controls than those that allow corporate devices only.
The study found that 54 per cent of small businesses (and 38 per cent of large ones) don’t have any kind of programme for educating their staff about security risks.
Just 26 per cent of respondents with a security policy believe their staff have a very good understanding of it while 21 per cent think the level of staff understanding is poor.
Indeed, 75 per cent of organisations whose security policy is poorly understood had staff-related security breaches in the last year.
One in seven organisations that give a high or very high priority to security haven’t written down their policy; most of these are small businesses that rely on word of mouth instead, but only a third think their staff fully understands it.
PWC says that the companies that have invested in staff awareness training meanwhile are reaping the benefits – they are four times as likely to have staff who clearly understand the security policy and half as likely to have staff-related security breaches as organisations that don’t train their staff.
“Setting out your security is essential to ensure staff know what risks to look out for, how to handle data appropriately and what to do if a breach occurs,” Potter said.
“The root cause of security breaches by staff is often a failure by organisations to invest in educating staff about security risks.
“The survey results show a clear payback from security awareness programmes – education leads to greater understanding which in turn leads to fewer breaches.
“Unfortunately, the survey results also show that it often takes a serious incident before companies train their staff.”
The survey suggests that with their increasing dependence on social networking sites, organisations are targets.
Half of the organisations surveyed say they think social networking sites are important to their business, up from only a third two years ago, yet controls aren’t keeping pace.
Just 8 per cent of small businesses (and 13 per cent of large ones) monitor what staff post onto social networking sites.
“Given how important social networks have become over the last few years, it’s surprising how little the control techniques used have changed,” Potter added.
“Large organisations - especially in financial services - rely on blocking social media sites rather than monitoring their use while half of small businesses don’t even have basic web blocking and logging software.
“Many are opening up their systems but doing little to mitigate the risks.”