When I talk to IT managers, I almost always hear fears of mobile devices as conduits for sensitive corporate data to leave the company. I don’t know why I keep hearing this. There’s simply no evidence to support this fear. In fact, there’s solid evidence that says mobile devices are not a significant—or even moderate—risk factor.
Every year, I check the Identity Theft Resource Center’s database of personally identifying information (PII) breaches, which require disclosure by both state and federal laws. I’m sure many losses go unreported, and the database doesn’t cover corporate information not containing PII. But if mobile devices were a conduit to data loss, they should show up in this database.
Mobile-linked breaches haven’t shown up in previous years, and they didn’t show up again in 2016—despite the fact that nearly everyone these days uses a smartphone.
What does show up? Paper records, thumb drives, external hard drives, laptops, hacks into databases and storage systems, and successful phishing attempts. Many of the reported breaches involve lost papers, drives, and laptops, where a data thief probably wasn’t involved. But many involve active hacking of IT systems where data theft is the goal. And some involve insiders (contractors and ex-employees) steal data to use themselves, bring to new employers, or—least often—sell to others.
None of the lost, stolen, or compromised devices were smartphones or tablets. That’s probably because encrypted devices need not be reported; they’re presumed safe. iPhones and iPads have long encrypted their contents, and professional-grade Android devices have done that in recent years. In both cases, a simple IT policy can enforce that encryption. It doesn’t take a fancy mobile security tool; Microsoft Exchange can do the trick.
Well, there was one data breach involving a smartphone: A former hospital manager, after resigning, took patient-identifying information by forwarding certain documents such as patient lists to her personal email account. She had work email set up on her personal smartphone—a common BYOD scenario—and simply forwarded the work emails to her personal email account. That’s not a mobile-specific issue—she could have done that from a work computer or a home computer.
IT’s remedy for this case is the same no matter the device running the email app: Use restricted email accounts where possible and data loss prevention (DLP) tools where not to identify and perhaps prevent such odd email usage. And don’t distribute PII or other sensitive information in routine documents in the first place!
Also not in the breach list were the cloud storage services that IT managers fret about after they’re done worrying about mobile devices: Apple iCloud Drive, Box, Dropbox, Google Drive, and Microsoft OneDrive.
But that omission may be misleading because if a lost (unencrypted) laptop has stored the access credentials for such services—which is common—then the data on that cloud drive is available to a data thief, just as the locally stored data is. The Identity Theft Resource Center database doesn’t go into great detail of each case, but because a lost (unencrypted) laptop is presumed to be a data breach, that breach extends to any data on that laptop, including cloud-accessed data.
Still, we didn’t see cases of these popular cloud storage services as the specific vector of a data breach—despite frequent IT fears to the contrary.
In this day and age, IT pros have plenty of security threats to deal with. Active hacking is the biggest threat, of course, and should get the lion’s share of the resources.
The client side should be addressed but not dwelled on. Of the clients in use, mobile is the least risky. Based on the actual risks, a good place to start is securing laptops, then external drives that people use when they don’t have access to a corporate cloud storage service. Those devices compromise the biggest client risk. Encryption is your main line of defense for these devices—for cloud storage, too.
For the much smaller risk posed by mobile devices, mobile management tools are both mature and effective; there’s no excuse not to have them in place already.