Mobile devices expose organisations to unprecedented security risks, reports say

The rapid proliferation of smartphones and tablet computers is exposing corporate networks and information to unprecedented risk, and organisations worldwide should expedite efforts to shore up their cybersecurity systems.

That’s the message of four recent reports from large accounting firms.
 
PricewaterhouseCoopers’ “Managing Security in a Mobile World,” warns that businesses face a triple threat of elevated risk in terms of mobile security.

1. Citing a Citrix report showing 28% of the workforce using non-organisation-issued computing devices for work, a number that’s expected to rise to 35% in 2013, PwC asserts that it’s becoming increasingly difficult for IT departments to establish security controls at all access points to the network. This raises the risks of network breaches and data leaks.

2. Adding to the risk, mobile devices often have limited storage for consumers trying to handle personal and business affairs on one smartphone or tablet. Those consumers increasingly are turning to storage based in the public cloud, which is convenient but beyond the reach of IT’s control. Using public cloud storage also raises concerns about data security, ownership and leakage.

3.  Also raising risk is the increasing use of mobile devices to access social networking sites such as Facebook, Twitter and LinkedIn, which PwC says give hackers a uniquely effective position to dupe people into clicking malware-infected links from “friends” or to perhaps gain access to inadvertently shared corporate information

The PwC report recommends that businesses establish a multi-step process to create security policies that address the threats to regulated information, such as confidential client data, and intellectual property, such as trade secrets, patents and other proprietary material. Organisations need to determine which mobile devices will be allowed to access the network and establish connection policies. In addition, standards should be set for what types of corporate data can be stored on mobile devices, and IT must determine the types of encryption and authentication procedures that can be implemented to help protect the data, the report says.

IT departments also need to develop standards for cloud and social networking services. At the least, IT should ensure that cloud and data service providers meet the organisation’s security requirements.

Most important, the PwC report says, organisations need to educate employees on new data security practices and takes steps to ensure compliance. Employee failure to follow security guidelines is the biggest weakness in mobile security.

Other recent reports also highlighted security risks:

• Deloitte warns that cyberattacks on high-profile businesses already are on the rise, citing studies by the Ponemon Institute, antivirus software provider Symantec and the Digital Forensics Association that show a 44% increase in successful cyber-attacks, a four-fold jump in targeted cyberattacks from January 2011 to November 2011 and a data breach rate of 395,362 records a day in 28 countries surveyed. The Deloitte white paper, part of its Risk Intelligence Series, outlines a multi-step approach to assessing cyber-security risks, implementing processes for minimising those risks and multi-pronged strategies to address issues such as how organisations can control which software applications are running on mobile devices that can connect to the network. When IT can’t control which applications employees download onto mobile devices that have network access, the threat increases of a virus, worm or other malware infecting the network.

• Ernst & Young, in a report titled “Privacy Trends 2012: The Case for Growing Accountability,” also points to the security risks posed by mobile devices. The report recommends policy adjustments and awareness programmes but warns of possible privacy issues arising from the use of certain tracking and monitoring tools.

• Grant Thornton, in a report on the top three governance considerations for 2012, points to recent SEC guidance requiring companies to disclose any cybersecurity breaches and also to report material risks related to cybersecurity. The report recommends that organisations of all types make cybersecurity a top priority and conduct an IT internal audit, risk assessment and a security test.

The reports echo the 2011 findings of the AICPA’s 2011 Top Technology Initiatives Survey. CPAs and financial executives participating in the survey rated the proliferation of smartphones, tablet computers and mobile devices in the workplace as their top business technology concern. Mobile devices edged out information security, which had topped the list of tech concerns several years in a row.

—Jeff Drew (jdrew@aicpa.org) is a CGMA Magazine senior editor.