Forecast 2013: Setting a mobile risk management strategy

If you're CIO at a large enterprise -- or a small one, for that matter -- chances are good that you're seeing a steady rise in the number of employees using smartphones and tablets at work.

The upside of this trend is that people might be more productive if they're using mobile devices they're comfortable with to access corporate data, collaborate with colleagues and communicate with customers. But increased mobility comes with risks.

Smart IT executives are mapping out strategies for managing their organizations' mobile risks and benefits. More than half (52%) of the 334 IT executives who responded to Computerworld's 2013 Forecast survey said they're ramping up mobile risk management efforts, and more than one-third (38%) said they're seeking help from outside providers.

Yet the results also show that many organizations haven't yet adopted a formal mobile device management strategy. Only 46% of the respondents said they have such a plan in place.

Those companies that have launched mobile strategies are getting a handle on the risks. Chicopee Savings Bank in Chicopee, Mass., with seven branches in western Massachusetts, began deploying Windows smartphones about five years ago and has since moved to Android devices.

"We initially deployed these devices to meet the business need of keeping corporate email, contacts and calendaring continually available to a small subset of our executive, sales and support employees -- whether they were in or out of the office," says Darlene Libiszewski, senior vice president of IT.

The bank launched an assessment to identify the risks and benefits of mobile devices. "A formal risk management discipline has always driven where we invest our resources," Libiszewski says.

Confidential information residing on mobile devices was among the security risks. "To minimize the risk effectively, we realized we needed to own the device to implement and manage the controls," she says.

But to minimize the cost of deploying smartphones, the bank is now considering adopting a bring-your-own-device (BYOD) program.

Managing risk is an ongoing process, Libiszewski says. "But I would say that more risk management focus has been placed in the mobile space because it is developing so rapidly and customer adoption is huge -- and face it, this space is the new frontier to be exploited," she adds.

Technology Plays Enforcer

Technology plays a huge role in helping IT manage devices and maintain security. Georgetown Hospital System, a healthcare provider in Georgetown, S.C., relies heavily on systems such as BlackBerry Enterprise Server, Microsoft Exchange Server and mobile device management technology from AirWatch to safeguard mobile devices such as Apple iPads and iPhones, Android smartphones and RIM BlackBerries.

"The phones are primarily used for email and calendar access, and they're used by senior administration, managers and approved employees [who] either travel or work on-call schedules," says CIO Frank Scafidi. Tablets are used mainly by managers and senior administrators, and increasingly by doctors, to access applications.

The AirWatch product, which Georgetown deployed in 2010, enables IT to place restrictions on devices, enforce security policies, remotely secure and wipe devices, and monitor usage, Scafidi says. The organization plans to move BlackBerry users to the AirWatch environment and decommission the BlackBerry server to maintain a unified mobile management environment, Scafidi says.

In addition to deploying security technologies, companies are developing policies on appropriate use of mobile devices. HomeTown Bank in Roanoke, Va., four years ago implemented a customer information security and acceptable use policy that outlines the bank's mobile device strategy. The bank is required by law to have employees review and accept the policy annually, says Michael Wright, vice president and director of IT.

The policy "is designed to educate bank employees on customer information and security awareness," Wright says. "It's kind of a living document" that evolves as mobile technology changes. It also requires that users implement features such as locking mechanisms and encryption for certain types of sensitive information.

Users of devices such as iPads must agree to let the bank remotely reset and wipe data on devices if necessary. Only individuals in the company who require access to corporate email to do their jobs have access to the network via mobile devices, Wright says. All devices that have access to corporate email must have a locking mechanism so that repeated failed attempts to guess a PIN will wipe the device.

Getting Prepared

Looking ahead to 2013, IT executives will continue efforts to use available tools and services to reduce the risk from mobile devices.

"I anticipate BYOD being an area of focus in 2013, and therefore I may seek help with anything from writing the policy to evaluating and implementing solutions for mobile device firewalls, [antivirus tools] and management software," says Libiszewski.

HomeTown Bank plans to use a software-as-a-service mobile device management tool to ensure that devices are being used properly. The software will let the bank define PIN requirements, remove an application from a device remotely or perform a full data wipe if needed, says Wright.

The bank will also conduct annual refresher training on the minimum requirements for device security and regulatory compliance for employees with devices that access corporate email. In addition, it will provide ongoing education on social engineering techniques, malware avoidance and acceptable use.

Organizations in the coming year will be looking for more management tools to help ensure document security and network security without infringing on employees' privacy or asking them to change their normal patterns of using devices, says Vishal Jain, a mobile services analyst at 451 Research.

"We think mobile security, app management, intelligence and threat detection will be in demand," Jain says.

The risks associated with mobility will only increase as more people bring their own devices to work and threats become more sophisticated. "The biggest threat that enterprises face is the loss or theft of devices containing enterprise data," he says.

It's vital to have a formal mobile risk strategy and include that as a part of information security guidelines, says Jain, noting that "employees are already bringing devices to [the] workplace," essentially creating "unmanaged BYOD programs."

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Violino

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place