I have to admit: Given the state of today's mobile workforce, I don't envy those responsible for risk management...
and compliance. Laptop computers have been hard enough to bring under control, now users want even newer mobile devices, including netbooks, tablet computers and smartphones -- and they want them now. Many times, demands for these mobile devices are made well before the proper risk management and compliance guidelines have been established.
When it comes to mobile device security, I see both users and management modeling something called the expediency principle: People do what they do to get what they want, without thinking about the long-term impact of their decisions. Too often, management won't stand up to user requests for mobile devices that could potentially wreak havoc with corporate security.
This is where you must step up and demonstrate the risks associated with mobile devices, which happens to be pretty simple. All it takes is one lost system to bring a world of hurt to your business. In fact, I served on a panel with Larry Ponemon of the Ponemon Institute at the recent Gartner Security & Risk Management Summit. We discussed some of his research findings, including:
- The average cost of a lost laptop is $49,246 -- a much higher price than many assume.
- Forty percent of all breaches are due to negligence, something mobility facilitates.
The Chronology of Data Breaches shows that nearly 500,000 records have been compromised in about a dozen laptop-related breaches thus far in 2010. Based on this hard data, along with what I see in my security assessments, mobile computing devices arguably create the greatest information risks to any organization.
Unlike firewalls, Web applications and databases, which only a small number of people are responsible for, mobile device security is everyone's problem. This is because most people in any given business have some type of mobile computing device with sensitive information on it. That's what makes mobile security a different beast. It's also what creates an environment that isn't conducive to compliance.
Looking at the essential elements of any given set of compliance requirements (technical, operational and physical controls across all of your information systems), I think any organization would be hard-pressed to claim it's compliant with HIPAA, HITECH, GLBA, state data breach notification laws and so on, given the complexities surrounding mobile device security.
Compliance and, moreso, information risk management can be attained, but it's not going to be easy. Requiring passwords isn't enough. Enabling encryption isn't enough. Telling users what they can and cannot do via some policy document isn't enough.
Instead, you have to approach mobile security from the perspective of:
- Determine what sensitive information you have and which of your mobile systems it's located on;
- Determine how it's at risk across all of your mobile device platforms;
- Implement the necessary standards, policies and technologies to keep things under control and;
- Revisit the issue periodically and consistently.
With mobile devices, you have to do all of this stuff now before their use expands and security threats grow even more out of control.
Until mobile devices are at or near the top of your compliance priority list, you're likely focusing on all the wrong areas. There's a quote by Ayn Rand that sums this up nicely: "We can evade reality, but we cannot evade the consequences of evading reality." Look into mobile device security, or risk the consequences of noncompliance and the ensuing ramifications.
Kevin Beaver is an information security consultant and expert witness, as well as a seminar leader and keynote speaker at Atlanta-based Principle Logic LLC. He has more than 21 years of experience in the industry.