How can executives feel at ease when confidential corporate data is at stake? When it comes to mobile technology's influence on business, one thing is clear: Security policies are required.
During SearchCompliance's February tweet jam, participants were asked, "What information management practices must be included in a mobile device policy to assure proper data security and to prevent breaches?"
Our participants called for remote wipe control on mobile devices housing corporate information:
Q2, need to have wipe device rights, that alone prevents byod in many countries. sign in authentication an issue. #GRCchat— Randy Moeller (@RJMrim) February 20, 2014
Wiping a corporate device clean is one thing, but how much leeway do executives have with personal devices that employees have brought into the enterprise themselves? For tablets, smartphones and wearables that can't be cleared remotely, IT security teams need backup:
Biz may have to put specific info management policies in place for wearable/mobile tech: access limits, device restrictions etc. #GRCChat— Ben Cole (@BenjaminCole11) February 20, 2014
These access limits and restrictions are critical in this day and age, especially with the increased use of mobile technology by corporate employees and the rising incidences of device theft and loss. One tweet jammer shed light on this -- apparently very common -- issue:
#GRCchat Mobile device loss and theft without a solid Risk/Control plan in place is a real problem.— Keith Cerny (@kcerny) February 20, 2014
Given the inevitability of human error, SearchCompliance asked #GRCchat participants:
Tweet jammers didn't argue: Human error plays a huge role in effective data protection, so frequent training is necessary:
Mobile tech in reality makes hard line data protection almost impossible, so human side of GRC becomes even more critical #GRCChat— Dan Zitting (@danzitting) February 20, 2014
SearchCompliance Site Editor Ben Cole suggested that IT organizations give their employees constant reminders of their role in corporate data confidentiality. From there, participants tacked on more suggestions, such as constant evaluation of employees' policy knowledge and the creation of applications specifically for training purposes:
But wait: Do employees actually pay attention to this kind of training?
According to #GRCchat-ters, training must be short, engaging, memorable and take place often -- especially since it seems employees don't really consider their mobile privacy as much as their IT staff do. We asked our followers, "How should companies address employee privacy when conducting data governance of mobile device information?" Their thoughts:
More #GRCchat recaps
Mobile data access points complicate protection strategies
Craft an info governance structure
Who is responsible for GRC?
Other tips offered by tweet jammers for addressing employee privacy during mobile device data governance operations: being open, being transparent and treating employee data like corporate data. Are there other ways to make sure employees are invested in information security -- whether they're protecting their own personal data or corporate information? Please add your advice in the comments section below.
To read the entire conversation from this #GRCchat, search the discussion hashtag on Twitter. Join our next SearchCompliance tweet jam scheduled for Thursday, March 27 at 12 p.m. EST (topic TBA).