Unfortunately, a surprisingly high number of companies dont have policies in place for dealing with personal mobile devices. And an even higher number lack an effective way to enforce the policies they have. Believing its better to ask forgiveness than permission, some employees disregard corporate mobility policies and find rogue workarounds that let them use the hottest new handhelds.
While personal devices can greatly increase productivity, they also increase the potential for security breaches.
Counting the Cost of Mobility
As laptops, PDAs, and smartphones become smaller and smaller, they also become easier to lose. In a recent survey by The Ponemon Institute, 81 percent of US companies reported losing at least one laptop containing sensitive data in the previous 12 months. And according to the Privacy Rights Clearinghouse, more than 100 million individual records containing private information have been involved in security breaches in the past two years.
The Many Myths of Endpoint Security
IT, Security and the Legalese of Compliance
Restoring Online Privacy
Security Flaw Could Ground Wi-Fi Users|
The cost of those security breaches is high and rising. The Ponemon Institute found that in 2006, data breaches cost an average of $182 per record, up a full 31 percent from 2005. A separate Symantec survey found that the average corporate laptop contains $972,000 worth of data.
But losing sensitive data contained on mobile devices isnt the only potential risk. Failing to secure wireless gadgets may place some companies in violation of regulatory requirements like GLBA, SOX, or HIPAA. This lack of compliance puts them at risk for fines or other government actions.
The fact that security legislation does not specifically mention mobile devices should not be considered evidence that mobile devices are somehow exempt from the law; a PointSec Mobile Technologies white paper urges. Instead, it should be emphasized that from the legal standpoint, securing mobile devices is just as critical as securing a supercomputer. Even if a smartphone or PDA doesnt hold any sensitive data, it may be used as a key giving criminals access to the entire corporate network. In fact, improperly secured Bluetooth devices may compromise the corporate network just by being used in a public place.
The threat from viruses, spam, and other malware specifically targeting mobile devices is also growing. According to McAfee AVERT Labs, during just one year, the threat to mobile devices grew 10 times as fast as the threat to traditional PCs.
Who Needs a Policy?
Given the size of the problem, you might expect every company in America to have a formal mobile security policybut that isnt the case.
Im constantly surprised by how many IT executives have not considered mobile security in their overall security plan, says Bob Egner, marketing VP for PointSec.
In fact, in a study by the Business Performance Management Forum, 40 percent of companies surveyed had no formal mobile security policy, despite the fact that 80 percent of companies planned to increase their use of mobile devices in the coming year. The problem was particularly significant for smaller enterprises: nearly 68 percent of those with revenues less than $100 million did not have a formal policy.
However, those numbers may be changing soon. A recent Forrester report found that all but 16 percent of companies surveyed planned to consider mobile and wireless strategy and policies in the coming year.