As we come to the end of cyber security month – we must admit to ourselves that to err is human. You can employ the latest technology at your company to bolster defenses but you cannot always keep employees from making stupid and unintentional mistakes. This lone fact is why cybersecurity training, and repetitive training, is so important.
Facebook has been in the news lately, causing its stock value to fluctuate since the 3/16 announcement that it was suspending Cambridge Analytica due to unauthorized access and use of Facebook’s user data. The news and hearing are all about privacy. What privacy rights do we really have when we put our data out there?
In its latest update, The Joint Commission banned the use of secure text messaging for patient care orders due to concerns over privacy and security. The decision was a curious one, since it came just a few months after announcing an end to the very same ban. Though its concerns are certainly warranted, as healthcare is the most targeted sector for cyber-attacks, The Joint Commission’s latest assertions against secure text orders are, quick frankly, unsubstantiated. In fact, modern secure messaging platforms not only address the issues raised by The Joint Commission, but can also serve to improve a hospital’s security, efficiency and compliance.
This is the first in a series of posts that will explore various aspects of data from cell phones. As an introduction I would like to “set the stage” by describing a series of facts that all subsequent posts will examine from the viewpoint of a court that must apply legal principles to the facts.
The ARMA Information Governance Principles are very relevant to today’s world of mobile communications. There are 8 of them all together, and in this blog series we will discuss 7 of them in great detail. We will not touch on the principle of Accountability, as having an accountable executive is necessary to the success of any endeavor, not just mobility and mobile messaging. I would like to start this installment with the Principle of Protection.
Today’s workforce has gone beyond mobile. It is fluid. The physical mobility of devices has improved so drastically that the lightest devices from 20 years ago would be the heaviest devices today. People aren’t just working in different places because they have to, they are working everywhere because mobility enables them to. The freedom to get things done instantly, without having to rearrange your life, has taken hold of today’s workforce. With it come efficiencies and benefits to the organization, employee and consumer, but also risk that must be considered.
Moving with the fluid workforce are their devices; laptops, tablets, phones and everything in-between are constantly being pulled out at soccer games, doctor’s offices, coffee shops and airports. Everywhere you look, someone is connecting. The problem is that interruptions in the real world are often sudden, abrupt, and urgent. Devices may be quickly put down to address a disruption. It is in that moment that the security of the device and everything on it matters the most.
The devices that enable our freedom contain valuable information. When they are lost, stolen, or simply misplaced, that information becomes vulnerable. What’s more, despite the best efforts of IT professionals to educate people about the importance of securing their device, it doesn’t always happen. With almost every security measure that IT forces onto a device usability is degraded a bit. Degrade usability too much, and users simply move to another device. Even enforcing the use of a passcode on a phone causes consternation:
“Do I use a 4-digit pin or a complex password? I need to take pictures of my kids quickly before the moment passes. Maybe I should disable the code on family days so I don’t miss anything? Not having a code will also make it easier for my kid to play games on it when we’re in the car.”
In fact, studies show that despite the need for security, alarmingly, only 46% of users set a screen lock using a four-digit PIN, password or fingerprint. This means that over 50% of mobile device owners still do not take the basic step of password-protecting their devices. And password protection is just the first step; device encryption is equally important. Without it, a moderately sophisticated attacker can simply access device storage directly, sidestepping password protection altogether.
One obvious reason to care about mobile device security is the sad fact that some of your organization’s mobile devices will be lost. Make no mistake about it: No matter how diligent your staff may be, devices are going to be lost or stolen – eventually. In New York City alone, 73,000 mobile devices were left in taxi cabs in 2014. A lost device should always be regarded as a security breach. Whether the finder attempts to extract information with intent to steal intellectual property, or with the benign intent of identifying the rightful owner, unauthorized access will occur. Unlocked phones and unsecure apps can leave your organization open to a data breach. And this risk certainly is not limited to smartphones – laptops and tablets, while larger, are misplaced every day as well. Unfortunately, there are numerous examples where organizations have been fined for failing to encrypt lost laptops containing PII or PHI. Just this month, Premier Healthcare reported that a non-encrypted laptop was stolen from its billing department, exposing over 200,000 patient’s PII; almost 2000 of those records including social security numbers and/or other financial information.
Simply stated – lost devices are a security breach waiting to happen. With higher local storage capacity and access to cloud storage, lost phones and tablets are next to hit the news for breach of information. No amount of diligence can completely prevent the loss of devices. The best you can do is focus on mitigating the potential fallout and make sure that a lost device does not lead to a data breach.
Beyond securing devices, however, the applications that employees use to share information and communicate vital business information also need to be secure. While many organizations may think that deploying secure apps is excessive given their phone security requirements, those requirements are only as good as the hardware provider’s capabilities and are susceptible to human error.
Apps that encrypt their information prevent sharing, saving or forwarding of information and restrict the extraction of information without proper authorization. This can help mitigate the risk of information leaks or larger breaches. It is a mental shift from only protecting the device to protecting the information that flows between devices and better controlling what can be done with that information. Apps that securely leverage the convenience of mobile devices for rapid information exchange, collaboration and decision making can have a dramatic positive impact on employee workflow efficiency and experience.
Employees just want to use their devices in a way that makes their lives easier and helps them get their jobs done. The introduction of ephemerality has also changed the way we look at collaboration via our mobile devices. Corporate data can now be stored in a secure, fire-walled repository, while removed from devices alleviating much of the risk created by lost or stolen devices.
This is not to say that device security should be ignored. Far from it. Even the most conscientious person might leave valuable information in unsecure locations on their devices, where device security is the last line of defense. On top of reasonable device security, the applications themselves can further protect information on devices and in transit, achieving a deeper level of security and confidence. Secure applications help ensure that the privacy of information belonging to your organization, employees and customers is protected.
In our ever-evolving, technology-rich and breach-heavy world, the need to increase the security on BYOD devices has grown significantly while empowering employee efficiency is just as important. It is incumbent upon every organization to understand the impact of their mobile workforce upon security and compliance mandates in order to minimize the likelihood and impact of data loss or breach. The inclusion of secure apps such as secure mobile messaging help you protect vital information from breach while leveraging the efficiencies of the mobile device. Providing, or enforcing, an option for secure information exchange and collaboration that does not jeopardize privacy or compliance should be included in every organization’s mobile enablement strategy.
To find out more about the benefits that can be realized through secure mobile messaging, contact us.
Contributor: Avi Elkoni
We are seeing much discussion about encryption and encrypted communications in the news in the wake of the Paris attack. The intelligence community did not intercept the communication between the attackers leading up to the attack, and this leads many to believe that encrypted communications must have been used.
The days of working at a company and receiving a new cell phone on your first day have started to fade away. Market researcher Gartner Inc. predicts that almost four in 10 organizations will rely exclusively on a policy of Bring Your Own Device (BYOD) — meaning they will no longer provide devices to employees– by 2016, and 85 percent of businesses will have some kind of BYOD program in place by 2020.
Why is BYOD a Hot Trend?
The BYOD trend is popular amongst employees who bring their personal smartphones, tablets and laptops to the office, or use them offsite as they take their work home. Businesses benefit from BYOD programs shifting costs to the user – including costs for the hardware, taxes, voice and/or data services, and other associated expenses.
The Good Technology State of BYOD Report states that 50 percent of companies with BYOD models are requiring employees to cover all costs — and they are happy to do so. Why? Many employees don’t want to carry two cell phones to work.
Users prefer their own devices and they’d rather use the devices they love rather than being stuck with laptops and mobile devices that are selected and issued by the IT department. BYOD devices tend to be more cutting edge, and users also upgrade to the latest hardware more frequently than the painfully slow refresh cycles at most organizations.
Risks to Company Privacy
So the switch to mobility is in full swing and must be embraced by most organizations. But the risks to company privacy are high as employee’s access email and other potentially proprietary data on their own devices.
- Small and medium-sized businesses have been at the forefront of the BYOD trend, with almost 62 percent of American SMBs having an official BYOD policy in place as of 2013, according to research conducted by iGR, a wireless and mobile communications consulting firm.
- At least another 10 percent lack an official policy but allow employees to use their personal devices to perform work-related tasks.
- Data security and regulatory compliance are big issues with BYOD environments. SMBs often must absorb more risk than larger enterprises out of necessity. They can’t afford a security team, a chief information security officer, and all that this entails. SMB’s and Enterprise companies need to approach device and data management in a manner that secures corporate and their customer’s data, but doesn’t hinder productivity. Furthermore, when a worker is let go, or leaves the company of their own accord, segregating and retrieving company data can be a problem.
Solutions to Consider
- For both SMB and Enterprise customers, Mobility Device Management (MDM) Solutions, like IBM Maas360, VMWare Airwatch, Good Technologies and Mobile Iron, do a good job of managing the segregation of the data on the mobile device and protecting it with encryption and pin codes. They also enable clearing this business data if the phone is lost or employee is terminated. However, when it comes to mobile communications, the text messages, emails and chats are sent to recipient devices that are out of the control of the sender’s organization and devices, beyond the reach of the MDM policies.
- Ephemeral messaging applications such as Vaporstream are designed for the BYOD world. They have the power and ease of use of email and text messaging without the liability of it. Ephemeral messages cannot be shared or stored and disappear after use. Regardless of the device, users can exchange messages securely across the enterprise, yet those messages do not remain on any devices and cannot be shared by any device, even those beyond the control of your MDM solution.
- Compliance is important in heavily regulated industries like Healthcare, Insurance, Legal, and Finance just to name a few. Keep that in mind as you shop around for an ephemeral messaging solution that will address your needs. Consider vendors that uniquely allow companies to opt for a Governance Module where they can archive messages, in a secure on premise store. These can be tagged as transient messages with a short term retention or for as long as required in regulated industries, while leaving nothing on the BYOD devices. The only copy is in your secured archive for e-discovery, no exposure on BYOD devices or copies on unintended recipient devices and servers. Vaporstream covers these requirements and helps customers meet their regulatory requirements.
As companies embrace BYOD programs, they can also meet the unique privacy challenges by taking one simple step, in addition to implementing MDM – adopting a secure, ephemeral, compliant messaging platform. Enable efficient communication without sacrificing control over confidential information. If you currently do not have a solution that addresses privacy, security and compliance for mobile messaging download a FREE trial of the Vaporstream® App today (available in the APP Store and Google Play).
By Karen Tremblay
Last week the AIIM First in Flight North Carolina Chapter kicked off two key events that brought together members focused on raising money for two great charities and focusing on the topic of information governance (IG). The chapter meeting included two events, First in Flight Chapter Annual Charity Golf Tournament and InfoWorld 2015. Bentwinds Country Club hosted 80 golfers and Vaporstream was delighted to be a one of the hole sponsors. It was a wonderful day for golfing—the weather was perfect and the sky was a beautiful Carolina blue. The AIIM First in Flight Chapter golf outing donating over $6,000 to both the Fragile X and Juvenile Diabetes foundations!
AIIM’s InfoWorld 2015 proved to be very informative and well attended, with close to 200 in attendance. There were several excellent sessions on data analytics– which are quite timely in the Information governance community that is examining new ways of data mining with governance and compliance. Vaporstream® CEO, Galina Datskovsky, delivered the afternoon keynote which focused on Big Data, Data Lakes and a way to incorporate IG into the Big Data practices and equation.
The event highlighted the ways in which Information Governance practices are changing. With the explosion of data and the growth of the Internet of Things, Data Lakes, and data analytics, IG professionals face new challenges. They must be prepared for the difficult tasks of corralling end users’ data for compliance purposes in the age of Bring Your Own Device (BYOD) and socializing the information governance requirements for Data Lakes. Practitioners must also handle the tough task of ensuring the applications they implement are easy-to-use intuitive applications for employees. If easy-to-use applications are not provided, employees will continue to download noncompliant apps and use them to the detriment (and dismay) of Information Governance and IT Departments.
It is clear that secure collaboration, privacy, protection and business enablement at the forefront of everyone’s mind as they embark on IG initiatives. Vaporstream solves the secure mobile communication piece of this puzzle and is proud to be part of the offering and solution. Secure messaging assists organizations with equipping a mobile workforce with an approved way of collaborating and sharing text and images.