Imprivata Digital Identity Intelligence (formerly FairWarning) User Group in Florida
Mobile device strategies can make or break an organization: New data on the challenges of enterprise-owned mobility programs

The cost of implementing an enterprise-owned mobile device program can be staggering. Despite these devices offering high-impact ROI, organizations are struggling to harness it. A new research report breaks down the numbers behind the challenges organizations face when implementing mobile devices, and the strategies they’re taking to remediate them. 

No matter the industry, an organization’s ability to thrive is dependent upon productivity. And productivity in the digital age has become increasingly dependent on a workforce being able to connect, efficiently and securely, through mobile devices.

Mobile devices are a wonderful tool for communication and collaboration, information access, and doing business with colleagues and customers around the globe without anyone getting on a plane. But not all businesses that implement enterprise-owned mobile devices can reap the full benefits that these tools have to offer – at least not right away. For many, mobile devices introduce significant operational, financial, and security consequences that must be dealt with first.

Applying a robust access management strategy with the right mobile solutions requires an understanding of what the challenges are and how they impact organizations using enterprise-owned mobile devices.

The Ponemon report by the numbers

The findings of the latest Ponemon research report, “Unlocking the cost of chaos: The state of enterprise mobility in life- and mission-critical industries” highlight, underline, italicize, and bold the fact that profit and productivity decline when mobile devices are lost or unusable. Specifically, problems with mobile devices lead to an average of 872 hours of unplanned downtime each week. And when it comes to having confidence in their organization’s ability to secure these devices, only 28% of IT and IT security practitioners believe their company’s mobile security strategy can truly safeguard sensitive data.

The findings were derived by surveying 1,795 IT and IT security practitioners in the United States, Australia, Germany, and the United Kingdom, who are familiar with their organization’s mobile workflow strategies, requirements, and security practices. Survey questions were designed to gather data on the current state of these organizations’ management of employee mobile devices, and their ability to protect access to mobile applications without disrupting workflows or hindering productivity.

The report’s focus is enterprise-provided mobile devices, but specifically includes organizations using 1:1 enterprise-owned mobile devices, those using shared enterprise-owned devices, and those using both 1:1 enterprise-owned and shared enterprise-owned devices. The industry sectors surveyed were manufacturing, transportation and logistics, healthcare, retail, and gaming.

Overall, the Ponemon Institute report confirms the significant impact that success or failure of enterprise-owned mobile device strategies can have on an organization’s finances, security, operations, and ability to thrive.

The impact of lost devices

Replacing lost devices is one of the most straightforward mobile challenges that organizations face. On average, approximately 203 hours are spent replacing lost devices each year. The average cost to replace a single device is $864, and the total annual cost spent on devices alone averages $5.45 million.

Nearly five and a half million is a high cost, but the actual cost is even higher — approximately $1.4 million higher, once you consider the cost of IT security and help desk support, plus idle time, and diminished productivity. Then there’s the impossible-to-quantify cost of diverting resources away from other IT and security obligations. At best, this limits an organization’s technical progress and innovation — at worst, it creates dangerous gaps in their security posture.

Lost and stolen devices are a common source for data breaches, as is unauthorized access. In the Ponemon survey, 54% of organizations reported experiencing a data breach stemming from inappropriate access to an employee’s mobile device. The costliest data breach suffered by respondents topped $2.2 million, which can be broken down into four approximately equal quarters. Twenty-three percent of the cost ($510,597) was based on the value of the data or device compromised, 25% ($554,801) on reputational damage and loss of customer goodwill, another 25% ($554,801) on the cost of regulatory or non-compliance violations, and 27% ($590,855) was related to identifying, containing, and remediating the breach.

The hard truth

These findings, taken with the rest of the data gathered in the report, make it clear that the cost of implementing enterprise mobile devices without a robust security and access management strategy can be staggering. But simultaneously, enterprise mobile devices offer a high-impact ROI and enormous growth potential. To reap these rewards, organizations must implement effective mobile solutions that harness this potential.

For a deep dive into the specific challenges experienced by organizations with enterprise-owned mobile devices, download the full report.

Unauthorized Access to Employee Mobile Devices Leads to More Than Half of Organizations Experiencing a Data Breach, New Report Finds

Research conducted by Imprivata and Ponemon Institute finds 28% of IT and IT security practitioners say their organizations can secure devices and access to data, while less than half cite satisfaction with the access experience

Waltham, Mass. – March 19, 2024 — Imprivata, the digital identity company for life- and mission-critical industries, and Ponemon Institute, today unveiled new research that highlights security, financial, and operational consequences associated with existing enterprise-owned mobile device programs. The findings, detailed in a new report titled Unlocking the Cost of Chaos: The State of Enterprise Mobility in Life- and Mission-Critical Industries, show the costly reality: Without effective tools or a unified strategy, organizations experience significant challenges when implementing mobile devices.

While mobile devices have become crucial for advancing modern business operations, the findings indicate that just 28% of IT and IT security practitioners believe their programs and strategies can secure mobile devices and access to sensitive and confidential data. Moreover, employee usability has notable room for improvement, with just 31% citing ease of access to applications and data on shared devices. Repetitive, manual authentication is a common challenge, as is employee downtime due to devices that are unusable - with an average of 872 hours lost each week.

“It is critical for organizations to adopt mobile devices to enhance productivity, but current access management and cybersecurity strategies are falling short,” said Fran Rosch, CEO at Imprivata. “And while all organizations are vulnerable to breaches that disrupt productivity and lead to financial loss, those in high-stakes industries often suffer dire consequences such as poor patient outcomes or the inability to deliver critical goods and services. This research comes at a crucial time for increasingly mobile industries like healthcare, retail, and manufacturing, to understand the challenges and optimize their significant investments in mobile technology.”

One of the more costly challenges revealed in the report involves dealing with lost mobile devices. Of the nearly 40,000 used by employees represented in this research, an average of 16% are lost each year, costing organizations an approximate $5.45 million annually. This does not factor in the costs of IT security and help desk support or diminished productivity and idle time, which add another $1.4 million, on average, every year.

Other key findings indicate:

  • User productivity would improve with remote mobile management. The process for maintaining and managing mobile devices takes place onsite all, or part of the time, for 67% of respondents - an inefficiency that needs addressing in the age of hybrid and remote work.
  • Many organizations’ strategies are failing to secure devices without creating usability issues. Sensitive data on mobile devices is vulnerable, with less than half (47%) of respondents citing their organizations secure vulnerable apps and just 40% saying they can protect data and privacy by locking down devices between each use. Moreover, just 40% say their programs enable quick access to mobile applications without repetitive, manual authentication.
  • No single industry is leading the charge on access management. Only 45% of respondents in industries including healthcare, manufacturing, and retail say their organizations are highly effective in protecting sensitive data on lost devices. Of all industries, healthcare spends the most on IT security support, totaling $750,270 annually. Healthcare organizations are also more severely impacted by diminished productivity or idle time when mobile devices are lost, with the average annual cost totaling $719,120.
  • All countries consider it very difficult to maintain access controls on shared devices. Sixty percent of IT and IT security practitioners in the UK and Germany cite a high degree of difficulty with access management, while 59% of those in the US agree.

“Today’s workforce demands flexibility and untethered access to data and tools from anywhere, at any time. However, this research shows current enterprise mobility strategies may be more of a hindrance than a help to many organizations and their employees,” said Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber at Imprivata. “Organizations should start by conducting a readiness audit, designating responsibility of their mobile device strategies and programs to a key stakeholder such as the CIO or CTO, and then move ahead with implementing a robust access management strategy that optimizes security with usability. Only then can they win the trifecta of security, productivity, and financial sustainability.”

The study was conducted by Ponemon Institute on behalf of Imprivata and includes responses from 1,795 IT and IT security practitioners across the United States (604), the United Kingdom (364), Germany (584), and Australia (243) who are familiar with their organizations' strategy for mobile workflow requirements and security practices.

View the complete findings in the report, Unlocking the Cost of Chaos: The State of Enterprise Mobility in Life- and Mission-Critical Industries.

About Imprivata
Imprivata is the digital identity company for life- and mission-critical industries, redefining how organizations solve complex workflow, security, and compliance challenges with solutions that protect critical data and applications without workflow disruption. Its platform of interoperable identity, authentication, and access management solutions enable organizations in over 45 countries to fully manage and secure all enterprise and third-party digital identities by establishing trust between people, technology, and information. For more information, visit www.imprivata.com.

Media Contact
press@imprivata.com

Leveraging Advanced Mobile Security Innovation to Reduce Workflow-Related Stress and Burnout
The state of shared-use mobile devices in healthcare: The clinical perspective
Vendor Privileged Access Management Vs. VPN
Reduce clinician burnout with EHR optimization
The Gatekeeper with Imprivata Customer Privileged Access Management (formerly SecureLink Customer Connect)
Third-party access control in healthcare is key to avoiding regulatory noncompliance and fines

Safeguarding patient data is critical for healthcare organizations. Strong cybersecurity protects patients and avoids regulatory noncompliance. One essential solution to mitigating cyber risk is third-party access control. 

In today's digital age, the healthcare industry faces numerous challenges in safeguarding protected health information (PHI). With reliance on third-party vendors and the near-constant threat of cyberattacks, it is imperative that organizations prioritize secure vendor access. Failure to do so can not only result in a cyberattack and grind operations to a halt, but also in noncompliance with HIPAA and can bring regulatory fines.

The consequences of noncompliance

It’s no secret that noncompliance with privacy regulations has financial and reputational consequences. The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has been actively enforcing compliance with the Health Insurance Portability and Accountability Act (HIPAA) for years. But now we’re seeing more enforcement related to cybersecurity best practices, especially in the event of a ransomware attack.

We recently saw this when the OCR settled a $40,000 fine after a ransomware attack at Green Ridge Behavioral Health affected the PHI of more than 14,000 individuals. According to the OCR's investigation, there was evidence of HIPAA Privacy and Security Rule violations leading up to, and at the time of the breach. This included failure to:

  • Conduct regular and thorough reviews of potential risks and vulnerabilities to PHI
  • Implement security measures to reduce risks to a reasonable level
  • Sufficiently monitor system activity to guard against cyberattack

The settlement highlights how compliance must include proactively addressing security risks. Third-party access is a critical component to consider, as healthcare vendors often have over-privileged and broad access that greatly increases the organization’s vulnerability to data breaches, loss of PHI, and regulatory noncompliance.

What organizations can do to prevent noncompliance

According to the OCR, the primary cyberthreats in the healthcare sector are hacking and ransomware. The OCR observed a 256% increase in reports of large breaches involving hacking in the last five years, along with a 264% increase in ransomware reports. In 2023, the large breaches reported to the OCR affected more than 134 individuals — an increase of 141% from 2022 – and 79% of those breaches were hacking incidents.

The OCR recommends the following cybersecurity best practices for any organization covered by HIPAA:

  • Provide regular training specific to employee workflows, reinforcing everyone’s role in data security and privacy
  • Employ multifactor authentication to ensure that only authorized users can access PHI
  • Make sure that all business associate agreements appropriately address obligations relating to security incidents
  • Regularly conduct risk analysis and management processes, particularly when planning for new technology or operations
  • Implement audit controls to record and analyze system activity, and regularly review this information
  • Encrypt PHI to protect against unauthorized access
  • Use prior security incidents to determine how security processes should be improved

With the importance of securing third-party access, it’s clear that a vendor privileged access management solution is essential to meet many of the above OCR recommendations.

How vendor privileged access management helps with HIPAA compliance

A vendor privileged access management solution provides third-party identity management to prevent unauthorized vendor access. It also provides granular controls to ensure that vendors can only access what they need, and nothing more. If they don't need access to PHI, they don't have it. If they do need access, granular controls and policies ensure that it is as least-privileged as possible.

Meanwhile, robust audit capabilities allow organizations to monitor and review system activity. Video recordings enable organizations to record, examine and regularly review information system activity of their vendors. This allows organizations to address potential issues before they escalate. Along with granular controls, regular audits demonstrate a commitment to HIPAA compliance. In addition, audits help organizations understand how to update access control policies to align with continually evolving regulations.

Control third-party access to ensure regulatory compliance

Healthcare organizations face increasing regulatory scrutiny and cybersecurity threats. Consequently, a strong vendor privileged access management solution is crucial in mitigating vendor access risks and avoiding noncompliance and hefty regulatory fines, while also protecting patient data.

These proactive measures safeguard sensitive information and enhance the overall trust and confidence patients place in their healthcare providers.

Learn about how Imprivata Vendor Privileged Access Management (formerly SecureLink Enterprise Access) can help.

Cultivating digital resilience: The crucial role of cyber hygiene, Part 1

In this climate of pervasive security threats and attacks, good cyber hygiene can bolster your organization's defenses, protect sensitive data, and build digital resilience.

Cybercrime is pervasive in the digital age, with cybercriminals constantly changing and advancing their techniques. In response, cybersecurity strategies must be proactive and adaptive. It isn’t enough to combat cyberthreats; organizations must work to maintain good cyber hygiene.

What is cyber hygiene?

We all understand the importance personal hygiene habits like washing hands and flossing to support physical health. Cyber hygiene habits are a set of practices to help fight against cyber threats, protect sensitive information, create resilience in digital systems, and enable a healthy, secure digital environment.

Let’s take a closer look at the benefits of good cyber hygiene habits, and the role they play in fortifying an organization's defenses.

Safeguarding sensitive data

At the heart of cyber hygiene lies the protection of sensitive data. All organizations deal with confidential information, from employee data to proprietary business plans. Cyber hygiene practices like encryption, regular backups, and access controls shield this valuable information from unauthorized access.

Preventing data breaches

Security incidents, like data breaches, can have severe consequences. They tarnish reputations and lead to crushing financial costs. Cyber hygiene best practices like regular security audits build a robust defense against potential breaches.

Mitigating insider threats

Insider threats, even when they aren’t deliberately criminal, put organizations’ systems and data at risk. Cyber hygiene measures, such as least privilege access, minimize the impact of insider threats to help maintain a secure digital environment.

Adapting to evolving threats

Today’s cybercriminals are dynamic, using sophisticated and evolving technologies to breach defenses. Regularly updating security protocols and staying aware of emerging threats help organizations adapt to the ever-changing threat landscape.

Ensuring regulatory compliance

In a time of stringent data protection regulations, good cyber hygiene is essential to ensure regulatory compliance. Organizations need measures such as data encryption and incident response plans to meet the requirements of data protection laws and standards.

Preserving business continuity

Cybersecurity incidents disrupt business operations, leading to downtime and loss of productivity. Cyber hygiene measures, including disaster recovery plans and regular system backups, help preserve business continuity by minimizing the impact of potential disruptions.

How can organizations ensure good cyber hygiene?

Good cyber hygiene results from a comprehensive cybersecurity strategy that incorporates the following best practices.

Build a security-conscious culture

Good cyber hygiene requires continuous education and awareness. Employee training on cybersecurity best practices and shared responsibility builds a workforce that actively helps to protect your digital assets.

Strong password policies

Make the use of complex, unique passwords compulsory, along with regular password changes. Using multifactor authentication adds an extra layer of security.

Privileged access management

Implement a privileged access management solution to manage and control access to privileged accounts. This helps prevent unauthorized access and ensures that employees only have the privileges they need.

Data encryption

Encrypt sensitive data, both in transit and at rest. Encryption adds an extra layer of protection to prevent unauthorized access to confidential information.

Regular security audits and vulnerability assessments

Conducting regular security audits and assessments identifies potential weaknesses before they can lead to security incidents. Proactively addressing vulnerabilities enhances overall cyber resilience.

Secure network configuration

Securely configure networks, limiting access, and segmenting sensitive data. This minimizes your attack surface and your vulnerability to security breaches.

Collaboration with cybersecurity experts

Engage with cybersecurity experts, consultants, or services to stay on top of the latest threats and best practices. Collaborating with experts can provide insights and guidance tailored to your specific needs.

Implement good cyber hygiene habits at your organization

The importance of good cyber hygiene can't be overstated. Cyber hygiene is the foundation of a secure and resilient digital infrastructure. It safeguards sensitive data, helps prevent breaches, and fosters a culture of security. Integrating cyber hygiene into daily operations is key to successfully navigating the complex digital landscape.

Learn how the Imprivata access management suite of solutions can help you follow good cyber hygiene at your organization – and stay tuned for Part 2 of this two-part deep dive into cyber hygiene.