Addressing Mobile Risks in 2015

Thursday, January 01, 2015

Rebecca Herold

65be44ae7088566069cc3bef454174a7

Last week fellow IBM Midsize blogger Jason Hannula wrote about Gartner’s prediction that by 2018 more than 50% of all folks will use their mobile computing devices in the workplace before, or instead of, using a desktop or laptop. That’s just three short years away. We already have an abundance of mobile devices being used in a wide range of industries.

  • Doctors, nurses and other staff commonly use tablets and smartphones within hospitals and clinics. Many (perhaps most) of those are already personally owned.
  • Most of the personnel within the cloud start-ups I’ve worked with the past couple of years have commonly used personally owned mobile device.
  • A large number of financial companies I’ve spoken with, from the largest to the smallest, allow their employees to use their personally owned smartphones and tablets for business activities, and a large portion also allow employee-owned laptops as well.
  • Retail stores widely allow their employees to use personally owned smartphones, tablets and laptops to connect into their networks.
  • Educational institutions not only have staff and teachers using their personally owned devices, but so are the students who are accessing the school networks.

This could continue on and be a very long list of examples.

Now consider a few troubling revelations from a recent survey:

  • 20% of employees openly admit that they have uploaded proprietary corporate data to a SaaS app like Dropbox or Google Docs, with the specific intent of sharing it outside of the company.
  • 66% of users were able to access those very same cloud storage applications after leaving their last job.
  • 70% of employees use their personally owned mobile devices for work activities.
  • 63% of those just mentioned access their business data from their devices.

We are literally putting more responsibility for the security of our business assets into the hands of our employees. And most of those employees do not have the training to know how to effectively safeguard their devices and the data used with and stored upon them, do not get periodic reminders to keep them aware, and are not provided with tools to use with their mobile devices to establish some strong security controls. So we are also creating more risks to address.

Bottom line for organizations of all sizes…

Your employees are already accessing your company systems and data from their mobile computing devices; it is not a future problem. All businesses must act now to improve data security for the increased mobility of their workforce. These actions include (but are not limited to):

a) Executive support. Obtain the strong and visible support of our executive leaders for your information security and privacy efforts. Don’t know how? Point them to the Sony and Staples incidents, or any of the dozens of others that have occurred this year, and explain how these could have happened within your own organizations. You can also read the chapter about how to od this in my book, “Managing an Information Security and Privacy Training and Awareness Program” (On sale now; get it at a nice discount for a limited time!)

b) Assigned responsibility. A position, team or department should be assigned responsibility for maintaining oversight for all business and personally owned computing devices. This includes ensuring appropriate security tools are provided and consistently used.

c) Documented policies and procedures. You cannot effectively manage mobile computing devices, including those owned by the company as well as those owned by employees, if you don’t have documented policies and supporting procedures. Documented policies provide a document for all to reference whenever they have questions about what is acceptable, or not, with regard to using mobile computing devices, including the types of computing devices that are approved to be used for business activities.

d) Maintain an inventory. You can’t protect the devices, and certainly not the information they store and access, if you don’t know where or what they are! The position or area responsible for mobile computing needs to maintain a documented inventory of the individuals using them, the types of devices used, the types of business activities for which they are used, and the types of information they access.

e) Provide education. This is critical! You must provide effective training so that all employees using mobile computing devices, of all kinds you’ve allowed to be used (see item c) above), know how to safeguard not only the physical device, but also the technical controls to protect the date used with the device. Also provide ongoing awareness communications to provide tips to remind personnel of safe computing device use, news of incidents involving computing devices that you can turn into teachable moments, etc.

This was cross-posted from the Privacy Professor blog.

Possibly Related Articles:
17685
Firewalls IDS/IDP Network Access Control Network->General SCADA General PDAs/Smart Phones
Mobile Security
Post Rating I Like this!
Default-avatar
Rob Wilsone Addressing Mobile Risks in 2015 We are literally putting more responsibility for the security of our business assets into the hands of our employees. fjackets
1420456339
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.