Despite highly publicized data breaches, mobile workers still endanger company data with risky behaviors, according to a new survey.
The Web questionnaire of 893 U.S. IT professionals, taken earlier in the northern autumn, found that mobile workers, including the IT professionals surveyed, are not following even simple data security procedures and are surprisingly ignorant or uncertain about what, if any, mobile security policies exist.
Yet perhaps more ominous is the fact that company mobile security policies are non-existent, ignored or are not enforced.
The study asked a sample of mainly US IT professionals, in a range of company sizes and industries, about seven data security practices, by them and by their co-workers. The practices were:
- Copying company data to a USB memory stick.
- Accessing Web e-mail accounts from company computers.
- Losing or having stolen a mobile device with company data.
- Downloading personal software, such as an MP3 player, to a company computer.
- Sending business documents from your company e-mail to personal e-mail address.
- Turning off company security settings.
- Sharing passwords with coworkers.
The survey was created by the Ponemon Institute, a research firm specializing in privacy and information management. The Web questionnaire drew responses from 893 self-identified IT professionals, from a total random sampling of just more than 15,000 adults. The study was sponsored by RedCannon Security, a vendor of mobile access security applications for the enterprise. The latest results track with an earlier Ponemon study on "off-network security".
The report notes that this type of survey has several inherent limitations or potential biases that should make readers cautious about drawing inferences from the data. For example, "it is always possible that individuals who did not participate are substantially different in terms of underlying beliefs from those who completed the instructions." The accuracy of responses can also be affected by the degree to which the sample list is representative of individuals who are IT executives, and by external variables such as media coverage. Still another variable is whether respondents were truthful in their answers.
Even with these caveats, the survey results are troubling.
In the study, 39% of respondents, almost four out of 10, say they have lost (or had stolen) a mobile computing device of some kind, ranging from laptops to USB drives, that held sensitive or confidential company data (most of these are in fact lost rather than stolen). Of those, only 28% reported the loss right away. Thirty-four percent say they waited a "few days." Worse, 56% of all respondents say they believe their employer would never be able to figure out what kind of data was on the lost device.