There are risks to corporate data from poor encryption, and employee use of unauthorised and inadequately protected devices. That’s according to an online survey released by WinMagic Inc, and conducted by YouGov.
The survey of British office workers found that 42 per cent use devices not provided by their employer to work with corporate e-mails and files. Half (52 per cent) also use personal online accounts, such as Enterprise File Sharing Services (EFSS) to store or access work files – with only 34 per cent saying they have never done so.
Office workers claim to use a wide range of personal devices to store or access work files and systems including laptops (30 per cent), smartphones (22 per cent) and USB Storage devices (17 per cent). The top three personal online accounts used by office workers to store and access work files are Hotmail (14 per cent), Gmail (13 per cent) and Dropbox (10 per cent).
Yet these personal devices often lack the same level of security that an enterprise would employ, putting corporate data at risk. For example, only 52 per cent of respondents protect all their devices with up to date security software. Although it is the employee’s responsibility to protect personal devices, employers need to do more to control and protect the way in which corporate data is moved. Otherwise, data leaves the organisation without the correct security controls in place – ultimately it should always be under the protection of the organisation, even when it exits the firewall.
Only 18 per cent of office workers surveyed said their employer always encrypted the files accessed through personal devices or stored on personal online accounts. Working on data remotely helps employees be flexible and productive, however, one of the most common ways for data breaches to occur is through the loss of a device. An unprotected device, with unencrypted corporate data may include credit card, medical, or other personal customer data, as well sensitive corporate data and systems, open to use by unauthorised individuals. Such losses and limited protection, can lead to identity fraud and a company failing to meet the standards expected by regulators, such as the Information Commissioner’s Office (ICO), warns WinMagic, a data security product company. The EU General Data Protection Regulation (EU GDPR), will apply to UK companies from 2018 that are ‘controllers’ or ‘processors’ of European personal data, regardless of the UK decision to leave the European Union. Personal data will include identifiers such as an account numbers and even IP addresses.
Mark Hickman, Chief Operating officer at WinMagic, said: “IT departments need to consider carefully how they strike the balance between giving employees the flexibility they need, and ensuring the security of corporate data. Achieving that requires a combination of software and employee education, to help improve personal IT habits that are out of control of the workplace. This is one of many areas where encryption can play a key role, protecting data stored in the cloud and on remote devices, on personal as well as corporate accounts. Encryption remains the last line of defence, when an online account is breached or a device lost.”
Passwords
About a quarter, 26 per cent of office workers admitted they use the same password for some of their work account and personal online accounts, and 5 per cent stated they use the same passwords for all work and personal accounts.
Despite admitting the failings of their home security habits, 20 per cent of office workers stated their company allows the use of personal online accounts and devices to access work files, if employees have adequate security software installed. A further 35 per cent confessed that they should not use personal accounts and hardware at all according to their company policy.
Hickman added: “Employees are simply trying to get their job done as efficiently as they can, but are often unaware of the risks they could be exposing their employer to. With effective device and encryption management strategies, IT departments can provide transparent and frictionless protection to data, without hampering the productivity of the workforce.”
