Organizations spent over $640 million USD on data loss prevention (DLP) software in 2014. But with many users accessing corporate data from their mobile devices, just how effective is DLP?
Back in the good old days when network boundaries were clearly defined, DLP products could monitor corporate-owned end points and network communications relatively easily. But the combination of enterprise mobility and cloud computing is causing traditional DLP strategies to fall apart.
Mobile Users Can Bypass DLP
Organizations that have purchased enterprise DLP solutions lock down their end points, such as their corporate PCs and laptops, with DLP agent software. However, they usually don’t enforce the same level of control on employee-owned mobile devices. Privacy concerns and device compatibility issues are the main culprits behind weaker security enforcement on mobile devices. According to Gartner, “Having a useful mobile agent on a device you do not own is simply not a reality for many users or organizations. In particular, there are not full-featured DLP agents for iPads, iPhones or the near infinite variations of Android devices that perform DLP capabilities.”
Because most organizations do not deploy DLP agents on mobile devices, mobile users can often skirt around strict DLP controls by downloading confidential files to their phone or uploading email attachments from their phone to file sharing sites. With a simple swipe, an employee can copy financial data or a customer’s credit card number into a text messaging app and with another tap or swipe, it is gone. As a result, enterprise mobility is rendering many DLP deployments ineffective.
VPNs and CASBs Don’t Stop Data Leaks
To tackle mobile use cases, some organizations are turning to Virtual Private Networks (VPNs) and cloud security services. VPNs provide a way for organizations to monitor and control access to application servers hosted in the network. But with more organizations turning to Software as a Service (SaaS) apps like Microsoft Office 365, Salesforce, and Workday, users can bypass VPNs to access the business apps they need directly—and avoid cumbersome VPNs altogether. As a result, mobile users can view or download sensitive data to their phones.
Cloud Access Security Brokers (CASBs) provide a way for organizations to secure access to popular SaaS applications, but they offer limited DLP capabilities. For example, few CASBs can prevent mobile users from taking screenshots from their phone or copying and pasting confidential data into other mobile apps. They cannot record user sessions for forensics. In addition, many CASBs only support a small number of cloud apps; they generally won’t support industry-specific apps or home-grown apps.
With businesses turning out sensitive data at a faster rate than ever—training videos, product plans, sales presentations, customer reports, and the like—data loss prevention is more important than ever. This leaves IT administrators with the agonizing choice of deploying intrusive mobile device management software on employees’ phones for minimal DLP protection or just crossing their fingers and hoping users comply with security policies.
So how should organizations prevent data loss from mobile devices? IT and InfoSec teams need to prioritize the biggest risks that mobility introduces—risks like physical device theft, accidental or intentional data sharing, weak authentication, and mobile malware.
To prevent data loss from mobile devices, organizations should:
- Prevent sensitive data from being downloaded or saved to mobile devices
- Block screen captures and clipboard functions for sensitive apps
- Watermark confidential files and videos
- Log mobile user activity
- Record suspicious user sessions with screen recording
- Enforce multi-factor authentication for mobile apps
- Detect and stop brute force and password guessing attacks
- Encrypt communications between app servers and client devices
Mobile Security Checklist
There are a number of ways that organizations can implement these DLP controls. To learn more about avoiding data leaks from mobile devices, please see the white paper “Mobile Security Checklist: An Easy, Achievable Plan for Security and Compliance.”