Creating an enterprise mobile privacy and security strategy in the age of IT consumerization is becoming an increasingly...
tricky feat. High-profile breaches occur almost every day, making fear a leading driver behind security strategies.
But there is also a confluence of other factors that come into play, said mobile security experts at the "Security and Privacy Challenges" panel from last week's Boston App Expo. First, mobile privacy has become a complicated issue, especially as employees and business partners place a premium on user experience. Second, there's a lack of understanding about the growing number of mobile data-specific regulatory requirements.
"The personal and the corporate are really merging, and I think people's view on privacy is that it's not as important anymore, so it creates a real threat for security," said panelist Adam Bookman, partner at enterprise mobile strategy consultancy Propelics. "A lot of infosec folks we speak with are really worried about data loss and how that can happen."
Adam Bookmanpartner, Propelics
Furthermore, although information security officers are keenly aware of the potential for malicious attacks, preventing data loss is their No. 1 priority. This is at least partly due to the ubiquity of sometimes hard-to-control mobile and cloud technologies -- some of the very same technologies that have driven data expansion.
"Organizations are losing control of their data," said fellow panelist Ted Julian, chief marketing officer of incident response management systems provider Co3 Systems. "Between mobile and cloud, data is in more places than it's ever been before, and from a security perspective, that just expands your risk landscape."
As if planning around unregulated mobile data isn't challenging enough, enterprises must also worry about managing mobile data and devices on the regulatory front. In today's day and age, a lost phone isn't just a lost phone.
"Forty-seven states each have independent requirements on what you must do if that data goes missing," Julian said. "Are you in healthcare? Then you've got HIPAA/HITECH to contend with. If you're processing credit cards, then you've got PCI DSS to contend with."
Not all data should be treated equally
Given these risk and compliance factors, how do IT or information security teams put together a mobile privacy strategy that not only gives employees access to the appropriate information, but is also compliant with myriad regulations?
When organizations meet to discuss mobile strategy, they talk about the business benefits, the company's readiness to implement the strategy, and how difficult it will be to enact. What frequently gets left out of the picture, according to Bookman, is classifying the various types of data assets employees need access to and profiling the risks. For example, information available on sales apps such as brochures or presentations has a lower risk of getting lost and spread in the wild than patient, customer or payment card data.
"Not all data assets are treated equally, and I think we have to recognize that and have some way to profile the risk of our ideas," he said.
Bookman discouraged a one-size-fits-all mobile security approach. Instead, an organization should have a security framework that establishes security and privacy policies that are applied to specific assets, both at the app level and at the device level, he said.
After data assets have been profiled, the next key step is to create policies and assign them to employees' mobile devices and apps in accordance with those risks. These policies could include stipulations to allow the IT department to turn certain device features on or off, to collect particular information from the device, or even to perform a complete data wipe if necessary, explained Bookman.
Creating and assigning these policies are not without their challenges. For starters, the different individuals using these devices and apps have varying roles and responsibilities that must be accounted for.
"You've got employees, you've got end users, and in some cases you've got contractors. How do you deal with these different kinds of use cases?" asked moderator Cimarron Buser, senior vice president of global operations at Apperian.
Privacy officers must also be vigilant regarding not only the policies within organizations, but also the mobile privacy rules they must adhere to on a regional, state and even nationwide level. California, for instance, has very strict privacy laws that prevent organizations from analyzing data on a mobile device that has do-not-track functionality enabled.
Lastly, if you already have policies in place, particularly regarding privacy, make sure they're updated and aligned with all your platforms, urged Bookman. This includes not only your mobile apps and website, but also your app store, for example.
Check out part two of this story to get the experts' take on why security basics and training are crucial components of mobile privacy and security policies.
Check out attorney Jeffrey Ritter's expert answer on why clear data privacy and security policies are a must. Then, read his advice on how companies can best protect both corporate and employee information.