In today’s digital enterprise, there’s never a convenient time for your employees to lose their phones. Not only do they become disconnected from their work, but it also comes with serious financial and security ramifications. The Ponemon Institute has estimated that the average cost per organization over a year-long period for lost or stolen mobile devices at $876,238, when accounting for IT help, investigation and productivity loss. Coffee shops and bars are the most common locations where phones are lost or stolen, but the third most common place is in offices.
In a similar vein, theft of IT equipment — including mobile phones and other office devices — is almost as high as theft from cars and on other forms of transport, and considerably higher than at airports and hotels. However, 34 percent of respondents reported that they have no physical security policy in place to protect such equipment.
The cost of replacing a lost phone in terms of the hardware is just the tip of the iceberg. For organizations, the cost of lost phones can be considerably higher when it comes to exposing valuable information. Kaspersky estimates that mobile device loss is the third greatest threat faced by organizations, accounting for 26 percent of all internal threats.
A recent report by Bitglass found that lost or stolen mobile devices used for corporate purposes were the leading cause of data breaches, accounting for 25.3 percent of the total, and considerably higher than breaches caused by hacking, unintended data disclosures and incidents caused by company insiders.
Given the risks associated with mobile devices that can contain large volumes of sensitive information, the onus is on organizations to ensure that they have adequate data security policies and controls in place and that they are enforced. This can be achieved through having a multi-layered security plan in place.
Developing a Multi-Layered Security Plan
When developing a mobile security strategy, organizations should first decide which types of devices they are willing to support and which devices, such as older models, will not be allowed to connect to the network. This should be spelled out in the security policy. By taking a tough line on what will be supported, an organization is able to specify the use of only highly secure devices, such as those built on the Knox platform, which secures the device from the hardware layer on up.
The security plan and resulting policy should also specify requirements that users must follow, including the use of encryption, mandating the use of VPNs and making it a policy to avoid risky Wi-Fi hotspots.
Organizations should consider deploying an enterprise mobility management platform, which provides features for segregating corporate and personal data, securing documents and emails on devices, and enforcing corporate policies.
Such platforms also provide the ability to perform remote wipe, which is invaluable in the case of a stolen or lost phone. This feature means that all data traces can be removed from a device, safeguarding a user’s privacy and ensuring that sensitive corporate information cannot be breached. With the use of separate containers, organizations can perform a selective wipe, deleting only corporate information from the device.
Biometric authentication technology, such as fingerprint or iris scanning, can also help businesses mitigate the risk of lost devices. Passwords alone are not an effective defense against hackers. This is in part because most employees admit they reuse similar or the same passwords across multiple accounts, undermining their integrity and posing a significant risk. Biometric authentication removes the need for employees to memorize multiple, complex passwords, instead allowing them to authenticate with a “look” or a “touch.” Enterprises should consider mandating the use of biometrics to access mobile devices or the secure work containers on these devices.
This not only will these best practices help guard the organization from a damaging data breach, but will ensure that personal data is not affected. Given that some apparently lost devices may simply just have been misplaced, this will prevent the organization’s stance from being overly draconian.
The cost of a lost phone is considerably higher than the cost of replacing the hardware, especially when the loss leads to a data breach. Even when an organization doesn’t directly own and issue the device to personnel, it’s imperative that they protect themselves by having multiple levels of security that account for human error.
Are unpatched security vulnerabilities worth the risk? A recent report shows just how much known vulnerabilities can cost your business.