A total ban is overkill for another reason—being able to work remotely increases productivity, improves customer service, and speeds up problem resolution. It can even help with employee retention by giving staff a way to avoid long hours at the office and reclaim some work-life balance.
Instead of a ban, organizations need to recognize that the benefits of mobility can be realized as long as companies manage the technology effectively—for both value and risk. Creating a mobile device strategy will help support that risks are accounted for and managed appropriately. The company’s information security managers will need to think about issues such as organizational culture, technology and governance when creating the mobile device strategy. They do not have to reinvent the wheel—a governance framework such as COBIT or Risk IT will provide a stepwise checklist and save time.
The Human Factor
Policies and software will only go so far. Basic human nature is key, too. Educating employees and explaining not only the policies but the reasons behind them is critical to success. A surprisingly large number of employees are not very aware of their company’s IT policies. For example, an ISACA survey in 2009 about online holiday shopping using a workplace computer showed that 45 percent of business and IT leaders say their organizations provide training on their security policy. Yet more than half of employees polled do not think their company has a policy in place.
Mobile devices have the potential to become the biggest threat to protecting confidential information. Securing them has been neglected until now, but it will rise to the top of most companies’ agendas as new features and products continue to be released and prices drop, making mobile technology more affordable for a growing percentage of the workforce.
Creating a transparent, understandable and executable mobile security policy is the best way to protect intellectual property and sustain competitive advantage. Embrace, but educate. Don’t wait for a major data breach— make sure your IT department has a governance model that will make your mobile device a workhorse—not a Trojan horse.
Mark Lobel, CISA, CISM, CISSP, is a mobile security project leader with IT enterprise governance association ISACA and a principal at PricewaterhouseCoopers.