How does your IT staff handle mobile device and tablet security? Does it use in-house security standards and policies? Or does your company have an “anything goes” situation? Plenty of companies
I’ve been presenting on and writing about mobile device security since before information security was mainstream and things like HIPAA and Sarbanes-Oxley were on everyone’s minds. Not much has changed in the past decade or so, but I believe that IT needs to get serious about mobile security. Not only must enterprise IT shops support mobile devices in addition to desktops; these devices have also become a huge business liability.
Here are my top 10 reasons why we can no longer afford to ignore mobile device security’s impact on the enterprise:
1. There is an untold number of mobile devices across any enterprise, representing unique opportunities for security compromises. These devices create thousands of islands of information that need to be protected.
2. No one really knows exactly what information is where on these mobile devices. Corporate counsel and compliance managers can eagerly show you their information classification policies, but the reality is just not that simple.
3. Many employees claim there is nothing of substance on their mobile devices. Again, this is simply not true.
4. Executives don’t fully understand how much information is put at risk on mobile devices. Sensitive business assets are being brought places they’ve never gone before, from bathrooms and amusement parks to football games and taxi cabs. Data exposure is greater now in our society than it has ever been.
5. Many in management claim that devices are password-protected and are therefore secure. Attackers, however, have plenty of tools to negate smartphone-password protection -- if they're even needed at all. They’re often not, according to a Confident Technologies survey.
More on mobile device security:
6. Organizations often trust employees to be responsible when it comes to handling mobile devices and information security, but they shouldn’t.
7. Even though your IT shop may support one or two mobile operating systems, workers are likely using multiple platforms. In addition to making it tricky to have standard mobile device security controls, it's tough to ensure that things check out across the board.
8. Employees, contractors and consultants all use their personal phones and tablets for business purposes, even though many claim not to. This “non-business use" puts email, unstructured files, virtual private network connections and related information and systems at risk.
9. The general assumption is that mobile device security is someone else’s responsibility. Management says it’s on IT, IT says it’s on the users, and human resources just wants everyone to get along. Like Merle Martin said: "If more than one person is responsible for a miscalculation, no one will be at fault." The lack of accountability marches on.
10. Your business information is not only at risk on the mobile devices themselves, but it's also scattered across countless PCs at home and cloud-based backup and file-synchronization systems. Users may claim that their home computers are protected, and cloud providers will shove their SAS 70 Type II audit reports in your face, but they don’t mean your information is truly secure.
Everyone -- IT, users, management -- has a new set of responsibilities when it comes to mobile computing. We know traditional desktops need hardening; we just need to get there with mobile devices as well.
ABOUT THE AUTHOR
Kevin Beaver is an information security consultant, expert witness, and professional speaker at Atlanta-based Principle Logic LLC. With over 23 years of experience in the industry, he specializes in performing independent security assessments revolving around information risk management. Beaver has authored/co-authored 10 books on information security including The Practical Guide to HIPAA Privacy and Security Compliance and Hacking For Dummies. In addition, he’s the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Beaver can be reached at www.principlelogic.com and you can follow in on Twitter at @kevinbeaver.
This was first published in February 2012