Digital Transactions Authoritative, insightful and timely information for payments professionals
As the momentum behind mobile payments gathers strength, some technology experts are starting to consider so-called smart phones?which make mobile payments easy?to be devices in need of encryption. That's one finding in an annual study out Monday about encryption, a hot topic in the payment card industry nowadays because of a rash of data breaches. The immediate concern about the security of portable data devices such as smart phones is a reflection of the increasing mobility of the U.S. workforce and the use by entrepreneurs and employees of smart phones to access e-mail and company databases and to perform various business functions, according to the “2009 Annual Study: U.S. Enterprise Encryption Trends”. Traverse City, Mich.-based Ponemon Institute LLC conducted the study for encryption-technology developer PGP Corp. by surveying 14,893 information-technology executives, directors, managers, staff members, and related workers in corporate IT departments. The surveys yielded 997 usable responses. Notable among the findings was the growing identification of mobile devices as “endpoints” where sensitive data could be accessed. These endpoints include smart phones such as the iPhone or BlackBerry, and also “thumb drives” and related data-storage devices that easily attach to a PC or laptop through a USB connection. “It's not all that unusual for these devices to contain a lot of data,” Ponemon Institute chairman and founder Larry Ponemon tells Digital Transactions News. “You have to consider it as much an endpoint as a laptop computer.” Survey results indicate that security and tech professionals recognize that valuable data are becoming more mobile. Some 31% of respondents consider the data residing on mobile devices as “important” and another 28% consider them “very important,” survey results say. Ponemon gives the example of a nearly successful data breach he learned of about six weeks ago involving a company he won't identify. An employee had used his personal smart phone to download a free software application. Unbeknownst to the employee, that program was infected with malicious software, or malware. The employee later used the same phone to access his corporate e-mail account, which gave the malware an opening to access his company's customer records, including credit card information, Ponemon says. The company's IT staff identified the compromise just as the malware was about to transmit data on potentially up to 100,000 customers to a foreign country. “Some of the most severe malware infections seem to start from some of these portable data-bearing devices,” says Ponemon. Software can reside on a device, “and then from that, software can migrate to a desktop computer or laptop, and then infiltrate the corporate network.” This year's survey for the first time asked respondents if they used an encryption application “most of the time” with smart phones or personal digital assistants. Some 26% reported doing so, but 51% said they never do. On a related question about mobile data, 26% of 2009's respondents said they used encryption applications most of the time with such data, up from 18% in 2007 and 20% in 2008. The research also indicates a link between the thoroughness of a company's encryption efforts and data breaches. Some 85% of the responding companies reported having at least one data breach in the preceding year. Twenty-two percent of companies had five or more data breaches, up from 13% in 2008. But of those experiencing the most breaches, all had either no encryption strategy or a partial strategy compared to what Ponemon calls an enterprise strategy. Such a strategy takes a “platform approach” to build in security from server to applications to endpoints in contrast to a “silo” approach that deploys separate encryption products for each application or device to protect, the report says. For a company that handles payment card data, such as a retailer or processor, such an enterprise strategy would include but not be limited to compliance with the Payment Card Industry data-security standard, or PCI, according to Ponemon. “As part of your security posture, you have to factor the PCI into [it],” he says.
