Cybersecurity threats have boardrooms across the country quaking in their boots. The mere mention of a hacker is enough to escalate a threat straight to the top. There's even a national cybersecurity centre. But talking about the risks from a USB stick... well, that doesn't exactly get the same level of attention. Unfortunately, the recent research from IBM and The Ponenom Institute suggests we're paying even less attention to mobile security that we were, despite the continuance of mobile data breaches. So why is mobile data not on the boardroom agenda and why should it be?
The latest Cost of a Data Breach report by IBM and The Ponemon Institute claims the cost has risen by 7 per cent since last year. Interestingly, if a business experienced a breach as a result of a lost or stolen device, the cost of the data breach increased by £5.40 from £102 per capita to £107.40 per capita. However, the report also claimed that the popularity of implementing 'endpoint security solutions' had dropped by 6 per cent over the last six years from 27 per cent in 2010 to 21 per cent in 2016. So, it seems that the cost of a mobile data breach is even higher than a regular breach but that companies are less focused on combating this kind of breach.
Talking about mobile data security
The evidence shows we're ignoring mobile data security but the question is why is mobile data security not as much of a priority as cybersecurity? I think there are two main reasons for this. Firstly, there's simply a lot more hype around cybersecurity. Everyone's talking about cyber security; it has significantly more column inches than mobile security, there's a national centre for it but none for mobile security which suggests that the Government takes cybersecurity more seriously so why shouldn't businesses?
Secondly, cybersecurity is a little better understood by those tasked with defeating it than mobile data security, which is essentially a people rather than technology problem. For the most part, the people tasked with combating data security breaches are technically-minded people in the IT security field. These people understand the technology of the cyber breach and so, as has and will be the case for years, people always gravitate to what they're familiar with. Mobile data breaches on the other hand are mostly as a result of human error and while technology can certainly play a part in combating this, it's much more of an education job that's required and in most cases, the IT department traditionally doesn't have this particular skill set. But it also doesn't entirely fall within HR's remit either. Instead, it falls in between the cracks.
A problem with a solution
Mobile data security, in many ways, is more complicated than cybersecurity but unfortunately, businesses are ignoring it to a large extent. as evidenced by the IBM and Ponemon Institute research. The irony is that mobile data security probably deserves even more attention than cybersecurity. It should be on the boardroom agenda for many reasons. It's a problem that has a solution; it just needs strong leadership and vision to be successful - something that a boardroom is uniquely positioned to help with. There is also the fact that if employees are educated about mobile data security, they will take that education into their real lives and before long, we'll be a society that's much more digitally aware and security conscious.
The GDPR is coming
Apart from the altruistic reasons, there is one, huge, selfish, commercial reason why mobile data security should be on the boardroom agenda and that is the introduction of the EU GDPR. Even though the UK has voted to leave the European Union, a wealth of organisations and bodies are warning UK businesses that they will nevertheless still need to prepare for the EU GDPR. In the first instance it is unclear whether we will be fully out of the EU before the new regulations come into force but more importantly, the regulations will affect any organisation that handles the data of any citizen in any EU country so regardless of when we are out, the likelihood is that the rules will still apply to most organisations.
The fines have been confirmed as up to 4 per cent of global annual turnover in the event of a breach and I doubt that the national bodies enforcing the fines, such as the ICO, will be bothered whether the breach was as a result of a cyber security threat or a mobile data security threat. The last thing the boardroom wants is a breach that results in a fine of that magnitude. Not only would it mean huge financial losses to the company's bottom line, probable loss of earnings as a result of loss of customers and reputational damage but more personally, it would likely also result in senior board members being unceremoniously fired, just look at facing dismissal -- just look at Noel Biderman, now ex-CEO of Avid Life Media (ALM), the parent company of Ashley Madison.
There's no doubt for me that mobile data security is being ignored and that it should be on the boardroom agenda. Organisations will never be able to curtail data breaches unless they are looking at the big picture and that means looking beyond just cyber threats.
Norman Shaw, CEO at ExactTrak