Sue Marquette Poremba has written many times about how the mobile office increases security risks, particularly via the devices that enable us to work from home or coffee shops or hotel rooms.
ISACA, a leading global association for enterprise governance of IT, also sees the risks involved with mobile devices. The organization recently published a white paper, Securing Mobile Devices. Sue spoke with Mark Lobel, principal, PricewaterhouseCoopers, and ISACA white paper project development team member, about the top five risks for mobile devices and the best ways to secure them. He told her this to start:
The definition of mobile devices is any end point, not just smartphones or laptops or USB. Everybody tends to think of mobile devices as smartphones, but we carry data in multiple ways. And they create different challenges than traditional enterprise computing, where everything is centralized and better protected. It's very hard to drop a mainframe, but it is easy for a device sitting in your back pocket to be destroyed or lost.
This slideshow highlights the top five risks posed by the use of mobile devices and how to establish security measures to protect confidential information.
Click through for five security risks posed by the use of mobile devices and ways to protect your business.
Enterprises often don't know the location of data and other business information.
Security Solution: Have a centralized way of managing data. Keep a data inventory and have a network access control solution so CIOs and CSOs know exactly who has the data, where it is, and where it is going. Lobel said it is easier to protect the data, too, from zero-day threats, if you know where the data is.
Mobile device security is usually neglected. As Lobel said, security is rarely the center of enterprise security and receives inconsistent focus.
Security Solution: Devices should be encrypted and authenticated. The best way to stop risk is to decide what information can be on the device and, if it shouldn't be there, block it.
Lack of education and whether or not employees know the risks involved with having sensitive data on the devices is a major threat.
Security Solution: Provide user education for employees that explains what devices are authorized, what's not authorized, and what the risks are if an unsecure device is used. Lobel said it is important to set the standard and bring it to the business data use.
Putting intellectual property in employees' hands can be dangerous. It is an act of trust to give sensitive information to employees, and not all employees will honor that trust.
Security Solution: If something is truly sensitive, it should be well monitored and controlled. Access should be given to only those employees who need it, when they need it. The way the devices are tracked should be monitored, and data transfers should be restricted.
Without an established governance framework, it’s impossible to provide employees with acceptable use guidelines and then hold them to those guidelines.
Security Solution: Implement a security policy that manages all stages of risk assessment and threat, from installation to retirement of the devices.