21st Century Tools for Teaching-People and Learners

Organizations are failing to respond to the culture of employees using their own mobile devices for work and are opening up their systems to security risks.

These are the preliminary findings of a survey by PwC and Infosecurity Europe.

82% of large organisations reported security breaches caused by staff, including 47% who lost or leaked confidential information.

Only 39% of large organisations encrypt data downloaded to smart phones and tablets
54% of small businesses (38% of large organisations) don’t have a security awareness programme
While 52% of small businesses say social networking sites are important to their business, only 8% monitor what their staff post on those sites.

Some 75% of large organisations (and 61% of small businesses) allow staff to use smart phones and tablets to connect to their corporate systems and yet only 39% (24% of small businesses) apply data encryption on the devices.

Read more...

Employees are increasingly using (and demanding to use) their personal devices to store and process their employer's data, and connect to their network...

Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable. Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk.

Many companies are having to play catch-up to control these risks.

This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including “reasonable” BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.

Take the example of company-owned laptop issued to an employee. When it comes to security, the company can:

- determine and limit the type of devices that can be used;

- implement minimum system requirements and configurations;

- install security-related software to the device;
encrypt company data on the device;

- apply security patches;

- monitor the use of the device to detect misuse, hacking or malware;

- dictate how the device connects to the company’s network;

- install and update anti-virus software;

- provide support for the device; and
obtain/access the device for purposes of an investigation (because the company owns the device).

Ignorance, as those in IT security know, is not bliss.

And, two new studies when viewed together show that consumer ignorance of the consequences of their actions coupled with enterprises' unawareness of their computing environment equal unacceptable risk.

===> Many organizations unduly place themselves at risk by allowing access to their computers by mobile devices used by employees who download apps without understanding their consequences. That doesn't seems like a smart information risk management policy; actually, it doesn't seem like a policy at all. <===