Accessing data from mobile devices presents a significant risk for GDPR noncompliance, according to Lookout.
84 percent of U.S. security and IT executives agree that personal data accessed on employees’ mobile devices could put their company at risk for GDPR noncompliance. In fact, 64 percent of U.S. employees say they do access their organization’s customer, partner and employee data while on their mobile device.
“As organizations increasingly rely on mobile devices, the amount of personal and corporate data these devices access has grown exponentially, turning the mobile device into a valuable target,” said Aaron Cockerill, chief strategy officer at Lookout. “Enterprises are exposed to a new spectrum of risk as it relates to corporate data leakage and regulatory compliance.”
GDPR regulated personal data is accessed by employee mobile devices
Nearly 78 percent of U.S. employees say they have access to corporate contacts on their mobile device. Further, 85 percent of IT and security executives say employees have access to enterprise apps, many of which likely store sensitive corporate data.
Personal and work lives overlap on mobile
Over 70 percent of U.S. employees report using the same phone for personal and work purposes. In addition, 81 percent of U.S. security and IT executives say that the majority of employees are approved to install personal apps on the device they use for work purposes. As such employees are the ones choosing what apps they use to access and manipulate corporate data, putting corporate data at risk.
PII is at risk of compromise on mobile
Thirty-two percent of U.S. employees with titles of VP and above report their phone has been hacked or compromised. And, 41 percent of U.S. employees admit they open links on their mobile device even if they are not 100 percent sure the links are safe, which could put PII data both on the phone and desktop at risk.
Employees download apps without the company’s knowledge
Sixty-three percent of U.S. employees say they download apps outside of the ones their company provides to do their job. This is concerning as half of U.S. employees state they download applications outside of the main app stores (Google Play and Apple App Store), and 67 percent of U.S. employees confirm they regularly allow apps to access their contacts.
Employees aren’t protected against app and device vulnerabilities
23 percent of U.S. employees say they do not have automatic updates enabled on their apps and device operating system. These updates are essential to corporate security since, according to public vulnerability insights, 54 percent of the 699 CVEs patched since iOS 9 up until iOS 11 were considered high or critical severity.
Organizations need to prepare for GDPR today
All organizations that handle data for individuals in Europe need to prepare for GDPR compliance today, including any U.S.-based companies that do business or offer services in Europe. Given the impending GDPR compliance regulations, CISOs need to recognize the security risks that mobile presents to both personal and corporate data. As employees continue to require access to data on mobile, CISOs will need to:
Understand how data can be leaked or taken from mobile devices: It is essential for CISOs to understand how data on employee devices could be maliciously taken or accidentally leaked from the device. CISOs need visibility into a variety of mobile risks that expose personal data, including malicious apps that steal information, device vulnerabilities that can be exploited, apps that leak data, man-in-the-middle attacks, and mobile phishing attempts.
Gain control and manage personal data accessed by mobile: Beyond visibility, CISOs need to be able to take immediate action to mitigate potential risks to corporate data.
Accelerate the notification process if there has been a corporate breach: Under the GDPR requirements, if PII data is compromised, the CISO will need to notify the Data Protection Officer as soon as possible with relevant details regarding the breach.
Protect employee data with a solution that adheres to Privacy by Design Principles: As CISOs consider their current and future solution providers, they will need to select organizations that fit within their compliance strategy as it relates to GDPR regulations.