maxoidos - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Data protection basics, education vital to mobile security policies

The prevalence of BYOD and cloud means corporate data is exposed to a wider risk landscape than ever before, security experts say. Learn how to make sure your mobile privacy and security policies can withstand modern threats.

Ted Julian is no stranger to the many facets of information security. The chief marketing officer of Co3 Systems, an incident response management systems provider, has been in the security business for 20 years. But with the prevalence of bring your own device (BYOD) and cloud computing, there's something significantly different about today's threat landscape, he said: Data risk has expanded substantially, especially as the corporate and personal information stored on mobile devices becomes harder to manage.

At the recent Boston App Expo, Julian and Adam Bookman, partner at enterprise mobile strategy consultancy Propelics, led the "Security and Privacy Challenges" panel discussion on how today's enterprises can navigate the risky BYOD landscape. In part one of this story, they said data classification and profiling can help mitigate data loss. Here, they emphasize the importance of information security's nuts and bolts when creating mobile privacy and security policies.

Don't forget the basics

You want to operate on muscle memory when an incident happens.
Ted JulianCMO, Co3 Systems

When it comes to crafting mobile security policies, sometimes the best advice is the most straightforward: Julian advised IT and security and privacy officers to start with "the basics" when it comes to mobile security, including device encryption, laptop encryption and remote wipe capabilities.

"You do that and you're going to spare yourself a lot of anxiety, chief among them to get out of there quickly, as you will absolve yourself of most regulatory requirements," he said.

The security solutions available today are more flexible than the ones of old, pointed out panel moderator Cimarron Buser, senior vice president of global operations at Apperian.

Take remote wipe, for example. "It's getting a lot more granular. With things like app wrapping and containerization, you can actually wipe the enterprise app and its data; you wouldn't necessarily have to wipe all the baby photos and things like that," he explained.

Documentation is also important to mobile security programs.

"If you're able to document, 'Yes, that device was compromised, and we can validate that the data on that device was encrypted,' then [you've covered] almost all of your state disclosure regulatory requirements, your HIPAA/HITECH and other regulatory requirements," Julian said.

But while employees sometimes prioritize their mobile user experience at the expense of corporate data protection, IT and security teams are occasionally guilty of the opposite: They prioritize the control of all endpoints while sacrificing user experience.

"There's the opposite of risk, of being too locked down," said Bookman. "I think IT people love the idea of virtualization, of locking -- nothing should be on your device -- but the users hate it, because you can't move the mouse, you can't touch things."

On the other hand, some organizations don't even have policies in place. "Certain types of data don't belong on certain types of devices," he cautioned. "It can't be a jailbroken device."

One way to find the happy medium between these approaches, Bookman advised, is to avoid treating mobile apps as systems of record and instead as front ends to your systems. He suggested separating mobile apps into an online and offline component, for example.

"We should definitely not be storing personal information. … I don't think we would like to see a lot of customer or patient information just living on the device -- that would not be good practice," he said.

Panelists also stressed that practice -- and education -- makes perfect. "You want to operate on muscle memory when an incident happens," Julian said.

Bookman agreed, stressing the importance of involving other teams, such as HR, in the policy-making and educating processes. It's one thing to implement passwords and have the ability to lock down devices, but it also important to understand why these precautions need to be put into place.

"People who are in risk and information security positions don't understand mobile and the way people use it," Bookman said, adding that there's a gap between how security and IT officers view mobile privacy and security and how users actually want to use their devices.

"These worlds have to come together, and we really have to make it more simple," he said.

Next Steps

Read more on crafting a customized security framework, and check out this #GRCChat recap on why clear data access rules are a prerequisite for mobile security.

Dig Deeper on Risk management and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What teams are involved in developing your organization's mobile privacy and security policies?
Ensuring the security of our company's mobile policy comes down to a closer partnership formed by several different teams. Our marketing team works to bring in new customers and retain the current customer base we enjoy. Our IT team focuses on maintaining our servers, sites, databases, and platform to ensure everything is secure and working properly. And finally, our customer service team works to ensure the needs of all out customers and clients are met.
Hopefully all of them, because if you don't have buy-in from all the employees, all the policies in the world aren't going to help you. Are the policies that the techies in the home office are coming up with going to work for the salespeople on the road? The shipping people? The admins who do work for multiple bosses? You need to make sure you understand what their needs are and what their day-to-day work life includes, or you're not going to think of everything and you may make their lives harder.
There is no doubt the entire organization needs to be involved in developing mobile security and privacy policies, the question is how do you get all them to work together? The best mobile security/privacy options for IT is not necessarily going to work for marketing, what works for customer PII protection won't necessarily benefit the bottom line. etc. - The trick will be to balance mobile security/privacy without hurting the bottom line...not very easy to do.