The importance of data encryption on employee mobile devices
We’re living in an increasingly mobile world. According to recent research from Sapho, three-quarters of companies allow employees to use personal devices for work, and employees who enjoy this workplace benefit save 81 minutes per week on the job. With this convenience and enhanced productivity, however, comes a business risk: If an employee’s personal mobile device is lost or stolen, unauthorized parties can easily access sensitive data stored in email and other applications. Here’s why data encryption on personally owned devices is so important and how better employee data protection protects both the business and its staff.
Why mobile data encryption matters
The mobile devices we use to check sports scores and order takeout can feel so closely linked with our personal lives that, at times, we might underestimate the considerable risks they pose from a business security standpoint. Make no mistake: The risks are real. Because these devices are getting smaller and sleeker all the time, they can be easily lost or stolen, making personal or business information subject to theft as well — unless that data is encrypted.
If employees’ devices tap into the corporate network, it’s important to secure them with at least the same level of vigilance and due diligence you would a company-owned device. Healthcare IT professionals understand this imperative well, as HIPAA regulations strongly recommend encryption for all corporate data and documents that may access or contain protected health information (PHI).
In the post-GDPR world, it is more important than ever to ensure that customer data is securely handled on all the mobile devices that access it. Given this complex environment, CSO Online advises IT administrators to compile a complete list of relevant government regulations relevant and use it to inform their approach to enterprise mobile security, particularly bring-your-own-device (BYOD) policies.
Where encryption is concerned, it is important to understand the distinction between data in transit and data at rest. It’s easy to appreciate the fact that communications can be intercepted without proper encryption and strong authentication methods in place to protect them; it’s a bit more difficult to comprehend just how vulnerable data stored on a mobile device can be unless it is encrypted.
Once accessed, unencrypted mobile device data can quickly yield a treasure trove of sensitive financial, business or personal information that should be kept from prying eyes. If such unauthorized access results in a breach, an enterprise can suffer massive reputational damage and find itself subject to hefty regulatory fines.
Steps for securing employees’ personal mobile devices
There are a number of steps enterprises can take to better secure their employees’ personal mobile devices, from ascertaining what devices are in use and what data they access to implementing specific safeguards with a mix of security tools and policy.
- Use strong passwords and authentication protocols. Mobile devices should be protected with long alphanumeric passcodes. Enterprises whose BYOD participants access particularly sensitive data might want to implement biometric authentication methods as well. It’s important to remember, however, that passwords can be defeated, and as such, it’s wise to add another layer of protection in the form of device-level encryption to thwart a potential attack.
- Determine which devices require encryption. Not all data needs to be encrypted, and not all devices work best with the same encryption tools. To assess your encryption requirements, it’s beneficial to first have a comprehensive inventory of mobile devices that access enterprise data, including smartphones, tablets and laptops. From there, determine precisely what data must be encrypted and which solutions are best for the task at hand.
- Consider encryption across the entire data lifecycle. Enterprises often protect data in transit through virtual private networks (VPNs) and other forms of encrypted communication, but they may not always provide the same protection to data at rest on a mobile device, which is equally susceptible to breach. With this in mind, they should map out the entire data lifecycle of sensitive enterprise data and take proactive measures to secure it at every step and on every device.
- Scrutinize applications’ storage methods. It’s a smart policy to prohibit storage of sensitive data on personal devices, but even enterprises that do may find that applications employees use to access corporate data may cache that data locally on the device to provide smoother performance. If these applications do not encrypt the data they cache, it could become vulnerable to an attack.
- Review your company’s BYOD policy. If your BYOD policy does not explicitly reference the need for encryption, it’s wise to consider reviewing and updating it accordingly. If the business makes the decision to start encrypting data, it should clearly communicate this change in policy to BYOD program participants.
Tips for mobile security awareness training
All the enterprise-grade mobile device security in the world, while of course valuable, cannot outweigh the need for effective user awareness training. In order to defend the business against all potential threats, BYOD program participants must understand the risks inherent in mobile access to corporate data and the consequences that could arise in the event of a breach.
By explaining how encryption secures data both in transit and at rest and communicating to users how encryption can protect them and the business from the threats they face, IT teams stand a far better chance of gaining user buy-in with regard to securing their own personal devices.
With mobile devices proliferating throughout the enterprise, it’s an ideal time to pursue better employee data protection through device encryption. Enterprise mobile data is the next frontier for cybercriminals, who know how easy it can be to leverage the vulnerabilities inherent in mobile device access to corporate networks. By taking prudent security measures now and educating employees on the importance of protecting their personal devices from unauthorized access, enterprises can maximize the benefits of a robust BYOD program while minimizing its risks.