December 1, 2016

min read

It’s 9am, Do You Know Where Your Data Is?

For the next four weeks Lookout is diving into a number of key findings straight from the mouths of security and IT professionals you work with every day. This is week two. Check back for more insights from the field.

There’s a disconnect between IT security departments and the employees they protect: IT often doesn’t know what kinds of data employees can access via their mobile devices.

Fifty-six percent of IT and security professionals believe people are only accessing texts and emails, according to a report from The Ponemon Institute. This perception paints the picture of employees who sit at their desks all day and every now and again check their phone for a message. Mobile devices, however, are being used for so much more, and the use cases are clear in the data:

Screen Shot 2016-03-17 at 4.42.04 PM

The knowledge gap

There are three significant knowledge gaps in what employees actually access and what IT thinks they do that deserve attention:

  • Employees’ personally identifiable information (52% of employees v. 18% of IT security)
  • Customer records (43% of employees v. 19% of IT security)
  • Confidential or classified documents (33% of employees v. 8% of IT security)

Design documents, presentations, etc. (25% v. 7%) and contact lists (50% v. 30%) are also worth calling out.

Employees are pulling out their phones to do work wherever they are.

Take “Daniel,” for example. He works for a big architecture firm and is visiting one of the company’s top clients. This client’s CEO is in the meeting and asks him a specific question about the redesign of a historical building’s facade. Knowing that he has protected documents regarding that very topic, Danny reaches for his iPad, heads to his firm’s Box account, and opens the CAD file. The CEO nods approvingly, and the meeting moves forward.

“Melissa” is an inside sales rep at your company. She’s been working diligently to close a big deal with a healthcare services company. After her latest meeting with this prospect, she runs to a commuter train to get back to the office and report the good news: the healthcare company wants to start technical evaluation of your company’s product! Melissa is excited to share the news, but she also knows that “if it’s not in Salesforce, it doesn’t exist,” so she uses her personal mobile device to update the account record before sharing the news.

The real story of mobile productivity today

Mobile devices are built to access a wide breadth of information in order to provide the most value to the user. Employees take advantage of this because it makes their working lives just a little bit easier.

Visibility is key. IT departments need to know what kind of data is being accessed in order to properly protect it.

Here’s what to watch out for:

Screen Shot 2016-03-17 at 4.44.29 PM

The mobile access (and storage!) policies

Once you have visibility into the data your employees are accessing through their mobile devices, it’s a good idea to set up policies that will help you keep control of that data, while not inhibiting employee productivity or creating a difficult mobile experience that they will try to work around.

Today, only 30% of IT and security professionals say they have policies specifying the types of company data that can be stored on employees’ mobile devices. Only 41% say they have a policy specifying the types of data that can be accessed on employees’ mobile devices.

Using policies in tandem with technology that monitors the device for any activity that may put company data at risk will give your security and technology teams an advantage against data leakage and breaches. It starts with legitimately knowing what’s being accessed, so you know what needs to be protected.

About the Data: The Ponemon Institute surveyed 588 IT and IT security professionals who are employed in Global 2000 companies and the public sector who are familiar with their organization’s management and security of mobile devices used in the workplace. In addition, they have responsibility for monitoring or enforcing the security of mobile devices used in the workplace, including employee-owned devices, also known as BYOD. Get the full report for a detailed explanation of the survey methodology.