San Francisco, CA - November 14, 2017 - Lookout, the global leader in securing mobility, today released a new report which found that accessing data from mobile devices presents a significant risk for GDPR noncompliance. According to the report, "Finding GDPR Noncompliance in a Mobile First World,” 84 percent of U.S. security and IT executives agree that personal data accessed on employees’ mobile devices could put their company at risk for GDPR noncompliance. In fact, 64 percent of U.S. employees say they do access their organization's customer, partner and employee data while on their mobile device.
In conjunction with the new report, Lookout has launched the Mobile Risk Assessment to provide organizations with a custom assessment of their mobile risk based on a two-minute online questionnaire. The assessment describes clear steps an organization can take to mitigate their business and compliance risks.
“As organizations increasingly rely on mobile devices, the amount of personal and corporate data these devices access has grown exponentially, turning the mobile device into a valuable target,” said Aaron Cockerill, chief strategy officer at Lookout. “Enterprises are exposed to a new spectrum of risk as it relates to corporate data leakage and regulatory compliance. Looking towards the impending GDPR regulations, we provide the guidance CISOs need to understand their risks and to help them reach compliance across their mobile fleet.”
Key highlights from the “Finding GDPR Noncompliance in a Mobile First World” report include:
- GDPR regulated personal data is accessed by employee mobile devices: Nearly 78 percent of U.S. employees say they have access to corporate contacts on their mobile device. Further, 85 percent of IT and security executives say employees have access to enterprise apps, many of which likely store sensitive corporate data.
- Personal and work lives overlap on mobile: Over 70 percent of U.S. employees report using the same phone for personal and work purposes. In addition, 81 percent of U.S. security and IT executives say that the majority of employees are approved to install personal apps on the device they use for work purposes. As such employees are the ones choosing what apps they use to access and manipulate corporate data, putting corporate data at risk.
- PII is at risk of compromise on mobile: Thirty-two percent of U.S. employees with titles of VP and above report their phone has been hacked or compromised. And, 41 percent of U.S. employees admit they open links on their mobile device even if they are not 100 percent sure the links are safe, which could put PII data both on the phone and desktop at risk.
- Employees download apps without the company’s knowledge: Sixty-three percent of U.S. employees say they download apps outside of the ones their company provides to do their job. This is concerning as half of U.S. employees state they download applications outside of the main app stores (Google Play and Apple App Store), and 67 percent of U.S. employees confirm they regularly allow apps to access their contacts.
- Employees aren’t protected against app and device vulnerabilities: 23 percent of U.S. employees say they do not have automatic updates enabled on their apps and device operating system. These updates are essential to corporate security since, according to public vulnerability insights, 54 percent of the 699 CVEs patched since iOS 9 up until iOS 11 were considered high or critical severity.
All organizations that handle data for individuals in Europe need to prepare for GDPR compliance today, including any U.S.-based companies that do business or offer services in Europe. As research firm Gartner noted in a recent report, "By 2019, 30% of organizations will face significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices." (1) Given the impending GDPR compliance regulations, CISOs need to recognize the security risks that mobile presents to both personal and corporate data. As employees continue to require access to data on mobile, CISOs will need to:
- Understand how data can be leaked or taken from mobile devices: It is essential for CISOs to understand how data on employee devices could be maliciously taken or accidentally leaked from the device. Lookout provides visibility into a variety of mobile risks that expose personal data, including malicious apps that steal information, device vulnerabilities that can be exploited, apps that leak data, man-in-the-middle attacks, and mobile phishing attempts.
- Gain control and manage personal data accessed by mobile: Beyond visibility, CISOs need to be able to take immediate action to mitigate potential risks to corporate data. The Lookout Mobile Endpoint Security solution gives admins control across the entire spectrum of mobile risk through custom notification and remediation policies. For example, Lookout Mobile Endpoint Security seamlessly integrates with multiple EMM providers to allow CISOs to establish risk-based conditional access policies to ensure sensitive data stays secure.
- Accelerate the notification process if there has been a corporate breach: Under the GDPR requirements, if PII data is compromised, the CISO will need to notify the Data Protection Officer as soon as possible with relevant details regarding the breach. Lookout Mobile Endpoint Security provides timely notifications to administrators when data may be maliciously exfiltrated or accidentally leaked from a mobile device, arming administrators with detailed information about the identified issue within the Lookout console to enable notification to the supervisory authority without undue delay.
- Protect employee data with a solution that adheres to Privacy by Design Principles: As CISOs consider their current and future solution providers, they will need to select organizations that fit within their compliance strategy as it relates to GDPR regulations. Lookout adheres to data minimization and purposeful data collection principles and has robust privacy controls, including the ability to restrict collection of any PII data associated with users or devices under management, as well as limit end user information presented to administrators of the Lookout solution.
To read the full “Finding GDPR Noncompliance in a Mobile First World” report, including visual representations of the survey data, visit https://www.Lookout.com/info/wp-gdpr-lp. To take the Lookout Mobile Risk Assessment, visit https://www.Lookout.com/m1/mra. To learn more about Lookout Mobile Endpoint Security, visit https://www.Lookout.com/products/mobile-endpoint-security.
(1) Gartner, Revisit Your Enterprise Mobility Management Practices to Prepare for EU GDPR, Manjunath Bhat, Bart Willemsen, 9 May 2017
Data methodology
An online survey was conducted to a panel of potential U.S. and U.K respondents. The recruitment period was September 5, 2017 to September 15, 2017. A total of 2062 respondents completed the survey (excluding terminates and abandonments). All respondents were 18 years of age or older, employed full time at a company with 1,000 employees or more, and work for a company that has employees and/or customers/partners in the European Union (this excludes the UK; If only customers/partners, the company must store their personal data). 1,000 of the respondents were a decision maker or involved in decision making process as related to IT security, and had a title level above intern, entry level, analyst/associate. The sample was provided by Market Cube, a research panel company. All were invited to take the survey via an email invitation. The margin of error was 3.1%.
