The Ponemon Institute released a survey in June that paints an unfortunate picture about the state of mobile devices and cloud technology in industries that must deal with regulation or compliance standards, like healthcare or government.
The survey questioned nearly 800 IT professionals about the use of regulated data and what they perceived as the biggest security risks. They defined regulated data as “sensitive and confidential data that organizations are legally required to keep safe and secure”, like ePHI (electronic protected health information), financial information, or customer accounts.
The key finding here is that 69% listed mobile devices as the biggest risk, with 45% choosing cloud infrastructure (they could choose two options for biggest risks). However, mobile and cloud are not inherently dangerous. These risks are created more by company and employee practices, as the remainder of the survey demonstrated.
Participants admitted that:
Some key things to take away from this survey are the lack of visibility and insight into mobile device and unauthorized cloud service use by employees. Desktop virtualization can mitigate many MDM (mobile device management) issues, allowing remote wiping of computers or rescinding access to sensitive data, as well as implementing device tracking. Even the use of personal devices can be secured through VDI (virtual desktop infrastructure).
Cloud providers and industry specific productivity apps can maintain cloud compliance at all levels and stave off the use of public cloud applications, too. If employees have access to compliant, in-house applications that solve their productivity demands, they will use them appropriately, helping to maintain security. Existing infrastructure and applications can also be bridged with public cloud resources using hybrid cloud infrastructure.
In the end, a custom app or compliant cloud provider doesn’t completely solve security issues. That can only come with dedicated employee training and mobile visibility. Encryption should be used at all levels. Employees should be unable to access protected data without passing through appropriate security checks.
Posted By: Joe Kozlowicz