A new Ponemon eport focuses on the risks associated with employee access to regulated data, such as protected health and financial information, via company or personal mobile devices and how this affects a business’ ability to comply with privacy and data protection laws.
The research reveals that more than 80 percent of the 798 IT professionals surveyed did not know how much of their organizations’ regulated data is stored on cloud file sharing services or mobile devices – creating significant risk and compliance issues.
Most organizations also had weak controls in place to protect regulated data on mobile devices, with 73 percent relying on manual policies and few utilizing mobile device management (12 percent), mobile digital rights management (6 percent) or mobile application management (4 percent) tools.
The study also highlighted substantial compliance gaps. For example, 67 percent of respondents said their organizations must comply with U.S. and state privacy and data breach laws. However, only 18 percent are aware that these laws specify the protection of regulated data on mobile devices, including employees’ personal devices used for work purposes.
This lack of knowledge can lead to costly mobile data breaches. On average, organizations represented in the study experienced almost five mobile device-related data loss incidents in the past two years, resulting in the breach of an estimated 6,000 individual records.
The Ponemon Institute survey results also state that regulated data on mobile devices and in the cloud is at risk because organizations do not:
- Know how much regulated data is on mobile devices used by employees or transferred to cloud-based file sharing applications
- Prevent employees from accessing regulated data using unsecured mobile devices
- Make mobile data protection a top priority
- Take steps to monitor employees who access and use regulated data on mobile devices
- Ensure employees are aware of the importance of protecting regulated data on mobile devices. Respondents also believe that most employees, at one time or another, have circumvented or disabled required security settings on their mobile devices
- Have the necessary oversight or governance practices in place.