It’s impossible to imagine a work environment that doesn’t include smartphones or portable computers. But the same features that let us keep up with work demands outside of work are threatening to become the Trojan horses of the mobile device world.
Consider how fast the confidential data and intellectual property stored on many employees’ smartphones, tablets and USB sticks can turn into a liability if that information falls into the hands of competitors or criminals.
This is not a small problem.
According to a 2009 study on the cost of data breaches by the Ponemon Institute, nearly one in three (32 percent) of the data breach incidents in the study involved lost or stolen laptop computers or other mobile data-bearing devices.
These incidents also come at a higher cost.
The average organizational cost of a data breach was US $3.4 million, but all countries in the study reported noticeably higher costs when the incidents involved mobile devices.
One of the reasons behind these higher costs may be the fact that mobile devices raise a wide range of issues. How many of these apply to your own use of a mobile phone or jump drive?
Banning the Internet
Given these risks, should companies just ban mobile devices outright? That was the initial reaction to the Internet—but it didn’t work then and it won’t work now. Even if companies stop supplying notebook computers or mobile phones, employees will use their own. A study by a leading IT analyst firm showed that companies expect the average number of workers using their own notebooks as their primary work PC to jump from 10 percent to 14 percent this year.
"Mobile devices have the potential to become the biggest threat to protecting confidential information."
A total ban is overkill for another reason—being able to work remotely increases productivity, improves customer service, and speeds up problem resolution. It can even help with employee retention by giving staff a way to avoid long hours at the office and reclaim some work-life balance.
Instead of a ban, organizations need to recognize that the benefits of mobility can be realized as long as companies manage the technology effectively—for both value and risk. Creating a mobile device strategy will help support that risks are accounted for and managed appropriately. The company’s information security managers will need to think about issues such as organizational culture, technology and governance when creating the mobile device strategy. They do not have to reinvent the wheel—a governance framework such as COBIT or Risk IT will provide a stepwise checklist and save time.
The Human Factor
Policies and software will only go so far. Basic human nature is key, too. Educating employees and explaining not only the policies but the reasons behind them is critical to success. A surprisingly large number of employees are not very aware of their company’s IT policies. For example, an ISACA survey in 2009 about online holiday shopping using a workplace computer showed that 45 percent of business and IT leaders say their organizations provide training on their security policy. Yet more than half of employees polled do not think their company has a policy in place.
Mobile devices have the potential to become the biggest threat to protecting confidential information. Securing them has been neglected until now, but it will rise to the top of most companies’ agendas as new features and products continue to be released and prices drop, making mobile technology more affordable for a growing percentage of the workforce.
Creating a transparent, understandable and executable mobile security policy is the best way to protect intellectual property and sustain competitive advantage. Embrace, but educate. Don’t wait for a major data breach— make sure your IT department has a governance model that will make your mobile device a workhorse—not a Trojan horse.
____________________________________
Mark Lobel, CISA, CISM, CISSP, is a mobile security project leader with IT enterprise governance association ISACA and a principal at PricewaterhouseCoopers.