Unfortunately, a surprisingly high number of companies don’t have policies in place for dealing with personal mobile devices. And an even higher number lack an effective way to enforce the policies they have. Believing it’s “better to ask forgiveness than permission,” some employees disregard corporate mobility policies and find rogue workarounds that let them use the hottest new handhelds.
While personal devices can greatly increase productivity, they also increase the potential for security breaches.
Counting the Cost of Mobility
As laptops, PDAs, and smartphones become smaller and smaller, they also become easier to lose. In a recent survey by The Ponemon Institute, 81 percent of US companies reported losing at least one laptop containing sensitive data in the previous 12 months. And according to the Privacy Rights Clearinghouse, more than 100 million individual records containing private information have been involved in security breaches in the past two years.
The cost of those security breaches is high and rising. The Ponemon Institute found that in 2006, data breaches cost an average of $182 per record, up a full 31 percent from 2005. A separate Symantec survey found that the average corporate laptop contains $972,000 worth of data.
But losing sensitive data contained on mobile devices isn’t the only potential risk. Failing to secure wireless gadgets may place some companies in violation of regulatory requirements like GLBA, SOX, or HIPAA. This lack of compliance puts them at risk for fines or other government actions.
“The fact that security legislation does not specifically mention mobile devices should not be considered evidence that mobile devices are somehow exempt from the law;” a PointSec Mobile Technologies white paper urges. “Instead, it should be emphasized that from the legal standpoint, securing mobile devices is just as critical as securing a supercomputer.”
Even if a smartphone or PDA doesn’t hold any sensitive data, it may be used as a key giving criminals access to the entire corporate network. In fact, improperly secured Bluetooth devices may compromise the corporate network just by being used in a public place.
The threat from viruses, spam, and other malware specifically targeting mobile devices is also growing. According to McAfee AVERT Labs, during just one year, the threat to mobile devices grew 10 times as fast as the threat to traditional PCs.
Who Needs a Policy?
Given the size of the problem, you might expect every company in America to have a formal mobile security policy—but that isn’t the case.
“I’m constantly surprised by how many IT executives have not considered mobile security in their overall security plan,” says Bob Egner, marketing VP for PointSec.
In fact, in a study by the Business Performance Management Forum, 40 percent of companies surveyed had no formal mobile security policy, despite the fact that 80 percent of companies planned to increase their use of mobile devices in the coming year. The problem was particularly significant for smaller enterprises: nearly 68 percent of those with revenues less than $100 million did not have a formal policy.
However, those numbers may be changing soon. A recent Forrester report found that all but 16 percent of companies surveyed planned to consider mobile and wireless strategy and policies in the coming year.
For those companies in the process of drafting a mobile security policy, the key is to strike a balance between productivity and security. “There’s a tradeoff,” observes Egner. “CIOs like the productivity of personal equipment, but they don’t like the security.”
Forrester’s Maribel Lopez notes that the best practices policy is for companies to restrict users to a few devices. “But let’s be realistic,” she writes. “Huge backlashes occur when IT won’t allow executives who got the latest Treo or Motorola Q for their birthday to connect to the network. Rather than forcing employees to circumvent the system, an employee who purchases a device on the approved list should be able to register with IT to get it connected. However, they need to understand that IT will provide only limited support.”
Lopez recommends that a mobile security policy address three elements:
• Mobility Framework
Who can have a device? And which devices, operating systems, and applications will be supported?
How will devices be secured? How often should users reauthenticate? When and how will devices be neutralized if lost?
• Device management and support
How will devices be procured, managed and supported?
Making Enforcement a Priority
Unfortunately, the greatest mobile security policy in the world won’t protect a company if the policy is not enforced. In an August 2006 study, The Ponemon Institute reported that 41 percent of the companies surveyed did not believe that they effectively enforced data security policies.
Ironically, the problems with enforcement start right at the top.
“The members of the executive team are the worst offenders,” observes Egner. “They have the most sensitive information, and they are the most likely to be gadget freaks.” He’s seen cases where companies end up with a double standard—one mobility policy for executives and one for everyone else.
However, by taking a few relatively simple steps, IT can help reduce the number of employees at every rung on the corporate ladder from using unauthorized PDAs and other devices.
First, they can lock down corporate PCs to prevent users from installing their own software. This makes it harder for employees with rogue personal devices to sync their handhelds. Second, they should disable the USB ports on company PCs. This prevents employees from plugging in docking stations and also prevents the use of portable memory keys that can be used to take sensitive information out of the building.
Finally, one of the most effective strategies isn’t a technical solution at all. A growing number of companies make it a policy to provide employees with top-of-the-line gadgets at company expense. That way, the IT department controls which devices employees are using, and employees are less tempted to use personal gadgets for work.