The explosion of powerful mobile devices over the past few years has put them front and center in a number of enterprises as employees begin to demand they be incorporated into the corporate workflow. Beyond smartphones, tablet computers have also begun to filter into the executive suites and business processes. According to a Forrester Research report, more than 112 million Americans will own a tablet by 2016.1 With the rise of corporate “Bring Your Own Device” policies, employees are granted unprecedented ease and utility — but there is also a risk.
The push towards the use of mobile devices is part of a larger trend to integrate consumer devices, tools and services into business environments to better suit the needs of employers and employees alike. The positives of such devices from a corporate standpoint are plenty. Productivity demands on employees have increased over the last decade, partly due to layoffs and downsizing, and there is the growing expectation for employees to deliver any time, any place. Additionally, widespread connectivity due in part to more corporations moving data to the cloud and the rise of the mobile worker — employees that frequently do work from a coffee shop or airport — have helped fuel this trend.
The result? More screens displaying more corporate data in increasingly public locations causing lingering concerns over security, audit and governance. So while the mobility of workers and the use of these devices can prove helpful to corporations, there are obvious risks that need to be addressed. One of the biggest under-addressed risks has been the visual privacy of these devices — protecting sensitive corporate data as it is displayed on screen.
Using mobile devices to access corporate resources greatly increases the risk of that data being viewed by prying eyes. The IT security community has long considered the issue of visual privacy important. Passwords are typically masked as they are typed to reduce the risk of being exposed to onlookers. However, many mobile devices actually remove this long-accepted feature by briefly unmasking each character as it is typed to help users verify accuracy. Additionally, a password is only a gatekeeper for sensitive information — if that information is then displayed in a public area, it could be exposed to unwanted viewers.
The new risks posed by mobile devices highlight the need for controls to help manage and mitigate the potential exposure of sensitive and regulated information. Important questions around legally protected information such as Personal Health Information (PHI), Personally Identifiable Information (PII), and sensitive financial information need to be asked: Who works with this type of data outside the office (sales staff, medical professionals, etc.)?
What data needs to be protected even within the office from other employees (some information is “need to know” confidential)? Where is data collected, processed, displayed and disposed of, and where is this physically done? What is the corporate policy on working on data outside of the protected confines of the office, and are employees educated on these policies?
Beyond legally protected data, marketing information, sales data and trade secrets can be particularly at risk as workers move toward consumerization and mobility. This information is typically viewed as a chart or graph, which is an easy visual for onlookers to digest quickly. Executives, sales managers and marketing groups are high-risk groups for a visual breach because of the type of data they work with and their likelihood to travel.
The recently published Visual Data Breach Risk Assessment Study — performed by People Security and commissioned by 3M — found there is a significant gap between risk and corporate policy to prevent visual data breaches.2 70 percent of working professionals surveyed said their company had no explicit policy on working in public places. Considering that half of the working professionals work on their laptops in a high-traffic public area at least one hour per week, the lack of policy and education around visual privacy creates a significant enterprise risk.
High-risk groups should be equipped with computer privacy filters to lower the chance of unwanted data exposure. The Visual Data Breach Risk Assessment Study also indicates that equipping at-risk employees with privacy filters is not enough; it must be coupled with policy to be effective, and employees need to be properly educated on these policies. An experiment conducted as part of the study showed that although workers say they believe visual privacy to be important, many do not take steps to preserve visual privacy. A holistic visual defense strategy is needed, one that equips at-risk employees with filters and then enacts policies to enforce their use outside of the office.
Top Mobile Security Policy Tips
Managing the holistic security of mobile devices is an important part of any enterprise’s comprehensive strategy. Below are some policy tips from enterprise CISOs.
1. Enforce remote wipe – Enterprises should maintain the technical ability to remotely wipe both employee-owned and corporate-owned mobile devices that process sensitive information in the case of loss, theft, or employee termination.
2. Use a risk-based approach to defend visual privacy – The risk of a visual breach is a function of how much an employee works outside of the office and the sensitivity of data that they access. At-risk employees should be equipped with a screen privacy filter for mobile devices and its use should be enforced by policy.
3. Consider e-discovery in approving employee-owned device access – One of the most complex issues around allowing employee-owned devices to connect to corporate resources is e-discovery – legal issues around the chain of custody and forensics for certain types of data. In certain cases, enterprises may consider having employees agree that their personal device may be seized in the case of litigation as a condition of them using the device to access corporate data.
Did you know?
For more information visit: 3Mscreens.com
1 Forrester Research, March 6, 2012, “The Five Year Forecast for Tablets, 2011 – 2016”
2 People Security Consulting Service, 2010. “Visual Data Breach Risk Assessment Study.”
3M is a trademark of 3M Company. ©2015, 3M. All rights reserved.