Privacy and Compliance in a Mobile World

Willie Jow
Willie Jow
Willie Jow is vice president for business operations and mobility product marketing for Sybase.

Regulated industries such as finance, health care, pharmaceuticals, utilities and insurance operate under strict privacy requirements, especially when storing customer data. Patient information, credit card data, bank information or any private, personal data must never leave the safe, secure zones of the corporate systems. To protect this valuable data, companies typically have stringent user polices stating that employees cannot store customer, patient or bank information on their laptops or smartphones. They also add elaborate encryption and other data protection mechanisms to prevent mobile devices - laptops, tablets and smartphones - from accessing this information.

 

Slide Show

Five Top Mobile Device Risks and How to Protect Your Business

Realistically, though, employees often need to access this business-critical data from their mobile devices. And, even with policies and secure systems in place, some careless or rushed employees may circumvent the policies and store data on their mobile devices that should not reside there. According to the 2009 study, "Cost of a Data Breach," from Ponemon Institute, 40 percent of all data breaches involved user negligence, and 36 percent of all cases in the study involved lost or stolen laptops or other mobile data-bearing devices.

 

Guarding Sensitive Data


Regulations that seek to protect customer and patient information, including the Gramm-Leach-Bliley Act (GLBA), Healthcare Information Portability and Accountability Act (HIPAA), Sarbanes-Oxley (SOX) and Payment Card Industry (PCI) Data Security Standard (DSS) and others from the Federal Energy Regulatory Commission (FERC) and the North American Electric Reliability Corporation (NERC) have been enacted during the last few years. To comply with these federal regulations as well as state laws - such as the Massachusetts requirement that all personal data be encrypted - organizations must create and enforce mobile security policies. Once management defines those policies, IT must train employees: Effective security starts with IT departments educating users.

 


Smartphone and tablet users must be made aware of the inherent risks of using mobile devices and should understand the policies and repercussions of breaking compliance and privacy regulations. The fines for non-compliance are significant. For example, NERC is responsible for developing and enforcing reliability standards, monitoring the bulk power system, and auditing owners, operators, and users of the bulk power system. Violations for not encrypting customer data can result in fines of up to $1 million per violation, per day.

 

Educating employees about mobile security is the most important first step a company can take. The next step is to place safeguards on mobile devices that will ensure the security of sensitive data-even when an employee ignores policies.

 

Do you think your customer data is safe because your IT department doesn't support mobile devices? You might be in for a surprise. Even if your company does not support smartphones or tablets, your employees are using their devices for work. In a survey conducted by Zogby International and sponsored by Sybase, 79 percent of smartphone users said they use their smartphone for work and personal functions. To secure this diverse set of approved and non-approved mobile devices, organizations need a mobile device management and security platform that has a range of robust security functions.

 

Smartphones and tablets are often lost or stolen, and IT needs a platform that will help them protect data that should never have been stored on the devices in the first place.

 

These 10 mobile security features can help keep companies in compliance:

 

  1. Enforced authentication: Password protection requires a user to enter a password when the device is cycled on, and the device is locked down after a predefined number of failed password attempts.
  2. Over-the-air data encryption: Data exchange is fully encrypted using Secure Sockets Layer (SSL) encryption.
  3. Remote control capability: Administrators can take control of the mobile device.
  4. Remote wipe: Administrators can clear all data and settings on a lost or stolen smartphone or tablet by issuing a simple remote wipe command.
  5. Remote data fading: Administrators can automatically wipe out data on a mobile device if it has been reported lost, stolen or inactive for a certain period.
  6. Full disk encryption: Data is secured and encrypted, making it next to impossible for anyone without authorization to read private data on a mobile device.
  7. Separation of personal and enterprise information: IT should be able to secure, control and erase corporate data and apps, separating enterprise data from personal data, such as photos, music and gaming applications.
  8. User access rights and security policies: IT can secure specific data by shutting down the users' ability to access certain data with their mobile devices.
  9. Over-the-air provisioning: Administrators can set policies, configure user smartphones and provision apps and updates remotely from a central platform.
  10. Network filters: Adding a filter to control access to backend systems creates another layer of data protection and helps keep technically savvy users who want to avoid IT safeguards in regulatory compliance. A filter collects data and analyzes it so you can evaluate personal mobile devices coming into the network. One option is to monitor who is attempting access and to block access unless a device management client is installed on the device. These intelligent filters provide users with access to systems only if they have permission under IT policies.

 

Mobile Lockdown for Compliance


The mobile enterprise is here to stay. Smartphone and tablet use increased from 20.7 million units in 2008 to 33.7 million in 2009, according to ComScore. These mobile devices are so popular that IT departments will not be able to prevent them from entering the workplace. In a 2009 survey, Forrester Research found that 13 percent of information workers in the U.S., Canada and UK use a smartphone for work activities at least weekly, and that number is growing fast. By the end of 2012, approximately 34 percent of the global workforce will be mobile information workers.

 

As these numbers increase, so does the threat to sensitive, confidential data. To protect that data and remain in regulatory compliance, organizations need to develop a mobile device security policy. This policy must include a mobile device management and security solution that can secure data that might be transferred to smartphones or tablets. This kind of solution is the best way to ensure that sensitive customer information - and your business - will stay protected.



Add Comment      Leave a comment on this blog post

Sep 27, 2010 3:22 AM ITGuru ITGuru  says:

This is a great article. I have been thinking about this privacy problem for a while and you summed it up very well. Its a huge problem that need to be taken under control. You should check out www.Barriq.com and www.tigertext.com Privacy is exactly what this company is working on. Check it out!!

Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.


 

Resource centers

Business Intelligence

Business performance information for strategic and operational decision-making

SOA

SOA uses interoperable services grouped around business processes to ease data integration

Data Warehousing

Data warehousing helps companies make sense of their operational data